mirror/php-zip
1
0
Fork 0
mirror of https://github.com/Ne-Lexa/php-zip.git synced 2025-07-19 06:51:24 +02:00
Code Issues Releases Wiki Activity

Fixed bug from issues 1

Browse Source 
- Fixed encryption and decryption Traditional PKWARE Encryption - add casting to 32-bit integer.
- The restriction on the length of the password to 99 characters for the WinZIP AES Encryption method.
This commit is contained in:
wapplay-home-linux
2016-12-14 12:34:59 +03:00
parent f2ffdae0c2
commit 11a7c16f1b
4 changed files with 73 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/PhpZip/Crypto/TraditionalPkwareEncryptionEngine.php
View File

@@ -105,9 +105,26 @@ class TraditionalPkwareEncryptionEngine
private function updateKeys($charAt) private function updateKeys($charAt)
{ {
$this->keys[0] = self::crc32($this->keys[0], $charAt); $this->keys[0] = self::crc32($this->keys[0], $charAt);
$this->keys[1] = ($this->keys[1] + ($this->keys[0] & 0xff)) & 4294967295; $this->keys[1] = $this->keys[1] + ($this->keys[0] & 0xff);
$this->keys[1] = ($this->keys[1] * 134775813 + 1) & 4294967295; $this->keys[1] = self::toInt($this->keys[1] * 134775813 + 1);
$this->keys[2] = self::crc32($this->keys[2], ($this->keys[1] >> 24) & 0xff); $this->keys[2] = self::toInt(self::crc32($this->keys[2], ($this->keys[1] >> 24) & 0xff));
}
/**
* Cast to int
*
* @param $i
* @return int
*/
private static function toInt($i)
{
$i = (int)($i & 0xffffffff);
if ($i > 2147483647) {
return -(-$i & 0xffffffff);
} elseif ($i < -2147483648) {
return $i & -2147483648;
}
return $i;
} }
/** /**

16
src/PhpZip/Crypto/WinZipAesEngine.php
View File

@@ -88,16 +88,20 @@ class WinZipAesEngine
throw new ZipCryptoException("Expected end of file after WinZip AES authentication code!"); throw new ZipCryptoException("Expected end of file after WinZip AES authentication code!");
} }
do { $password = $this->entry->getPassword();
assert($this->entry->getPassword() !== null); assert($password !== null);
assert(self::AES_BLOCK_SIZE_BITS <= $keyStrengthBits); assert(self::AES_BLOCK_SIZE_BITS <= $keyStrengthBits);
// WinZip 99-character limit
// @see https://sourceforge.net/p/p7zip/discussion/383044/thread/c859a2f0/
$password = substr($password, 0, 99);
do {
// Here comes the strange part about WinZip AES encryption: // Here comes the strange part about WinZip AES encryption:
// Its unorthodox use of the Password-Based Key Derivation // Its unorthodox use of the Password-Based Key Derivation
// Function 2 (PBKDF2) of PKCS #5 V2.0 alias RFC 2898. // Function 2 (PBKDF2) of PKCS #5 V2.0 alias RFC 2898.
// Yes, the password verifier is only a 16 bit value. // Yes, the password verifier is only a 16 bit value.
// So we must use the MAC for password verification, too. // So we must use the MAC for password verification, too.
$keyParam = hash_pbkdf2("sha1", $this->entry->getPassword(), $salt, self::ITERATION_COUNT, (2 * $keyStrengthBits + self::PWD_VERIFIER_BITS) / 8, true); $keyParam = hash_pbkdf2("sha1", $password, $salt, self::ITERATION_COUNT, (2 * $keyStrengthBits + self::PWD_VERIFIER_BITS) / 8, true);
$ctrIvSize = self::AES_BLOCK_SIZE_BITS / 8; $ctrIvSize = self::AES_BLOCK_SIZE_BITS / 8;
$iv = str_repeat(chr(0), $ctrIvSize); $iv = str_repeat(chr(0), $ctrIvSize);
@@ -202,6 +206,10 @@ class WinZipAesEngine
$password = $this->entry->getPassword(); $password = $this->entry->getPassword();
assert($password !== null); assert($password !== null);
// WinZip 99-character limit
// @see https://sourceforge.net/p/p7zip/discussion/383044/thread/c859a2f0/
$password = substr($password, 0, 99);
$keyStrengthBytes = 32; $keyStrengthBytes = 32;
$keyStrengthBits = $keyStrengthBytes * 8; $keyStrengthBits = $keyStrengthBytes * 8;

6
tests/PhpZip/ZipTest.php
View File

@@ -752,7 +752,7 @@ class ZipTest extends ZipTestCase
*/ */
public function testSetPassword() public function testSetPassword()
{ {
$password = CryptoUtil::randomBytes(100); $password = base64_encode(CryptoUtil::randomBytes(100));
$badPassword = "sdgt43r23wefe"; $badPassword = "sdgt43r23wefe";
$outputZip = ZipOutputFile::create(); $outputZip = ZipOutputFile::create();
@@ -761,6 +761,8 @@ class ZipTest extends ZipTestCase
$outputZip->saveAsFile($this->outputFilename); $outputZip->saveAsFile($this->outputFilename);
$outputZip->close(); $outputZip->close();
self::assertCorrectZipArchive($this->outputFilename, $password);
$zipFile = ZipFile::openFromFile($this->outputFilename); $zipFile = ZipFile::openFromFile($this->outputFilename);
// set bad password Traditional Encryption // set bad password Traditional Encryption
@@ -791,6 +793,8 @@ class ZipTest extends ZipTestCase
$outputZip->close(); $outputZip->close();
$zipFile->close(); $zipFile->close();
self::assertCorrectZipArchive($this->outputFilename, $password);
// check from WinZip AES encryption // check from WinZip AES encryption
$zipFile = ZipFile::openFromFile($this->outputFilename); $zipFile = ZipFile::openFromFile($this->outputFilename);

44
tests/PhpZip/ZipTestCase.php
View File

@@ -9,18 +9,47 @@ class ZipTestCase extends \PHPUnit_Framework_TestCase
/** /**
* Assert correct zip archive. * Assert correct zip archive.
* *
* @param $filename * @param string $filename
* @param string|null $password
*/ */
public static function assertCorrectZipArchive($filename) public static function assertCorrectZipArchive($filename, $password = null)
{ {
if (DIRECTORY_SEPARATOR !== '\\' && `which zip`) { if (DIRECTORY_SEPARATOR !== '\\' && `which unzip`) {
exec("zip -T " . escapeshellarg($filename), $output, $returnCode); $command = "unzip";
if ($password !== null) {
$command .= " -P " . escapeshellarg($password);
}
$command .= " -t " . escapeshellarg($filename);
exec($command, $output, $returnCode);
$output = implode(PHP_EOL, $output); $output = implode(PHP_EOL, $output);
self::assertEquals($returnCode, 0); if ($password !== null && $returnCode === 81) {
self::assertNotContains('zip error', $output); if(`which 7z`){
self::assertContains(' OK', $output); // WinZip 99-character limit
// @see https://sourceforge.net/p/p7zip/discussion/383044/thread/c859a2f0/
$password = substr($password, 0, 99);
$command = "7z t -p" . escapeshellarg($password). " " . escapeshellarg($filename);
exec($command, $output, $returnCode);
$output = implode(PHP_EOL, $output);
self::assertEquals($returnCode, 0);
self::assertNotContains(' Errors', $output);
self::assertContains(' Ok', $output);
}
else{
fwrite(STDERR, 'Program unzip cannot support this function.'.PHP_EOL);
fwrite(STDERR, 'Please install 7z. For Ubuntu-like: sudo apt-get install p7zip-full'.PHP_EOL);
}
}
else {
self::assertEquals($returnCode, 0);
self::assertNotContains('incorrect password', $output);
self::assertContains(' OK', $output);
self::assertContains('No errors', $output);
}
} }
} }
@@ -52,7 +81,6 @@ class ZipTestCase extends \PHPUnit_Framework_TestCase
exec("zipalign -c -v 4 " . escapeshellarg($filename), $output, $returnCode); exec("zipalign -c -v 4 " . escapeshellarg($filename), $output, $returnCode);
return $returnCode === 0; return $returnCode === 0;
} else { } else {
echo 'Can not find program "zipalign" for test' . PHP_EOL;
fwrite(STDERR, 'Can not find program "zipalign" for test'); fwrite(STDERR, 'Can not find program "zipalign" for test');
return null; return null;
} }