Replace insecure obsolete method (new RNGCryptoServiceProvider()) with RandomNumberGenerator.Create() in PkzipClassic, ZipFile and ZipOutputStream.

yihezkel · yihezkel · commit 8a9dcb90a225 · 2022-08-15T11:50:25.000+03:00
diff --git a/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs b/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs
@@ -6,7 +6,7 @@ namespace ICSharpCode.SharpZipLib.Encryption
 {
 	/// <summary>
 	/// PkzipClassic embodies the classic or original encryption facilities used in Pkzip archives.
-	/// While it has been superceded by more recent and more powerful algorithms, its still in use and
+	/// While it has been superseded by more recent and more powerful algorithms, its still in use and
 	/// is viable for preventing casual snooping
 	/// </summary>
 	public abstract class PkzipClassic : SymmetricAlgorithm
@@ -444,7 +444,7 @@ public override byte[] Key
 		public override void GenerateKey()
 		{
 			key_ = new byte[12];
-			using (var rng = new RNGCryptoServiceProvider())
+			using (var rng = RandomNumberGenerator.Create())
 			{
 				rng.GetBytes(key_);
 			}
diff --git a/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs b/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs
@@ -3781,7 +3781,7 @@ private static void CheckClassicPassword(CryptoStream classicCryptoStream, ZipEn
 		private static void WriteEncryptionHeader(Stream stream, long crcValue)
 		{
 			byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];
-			using (var rng = new RNGCryptoServiceProvider())
+			using (var rng = RandomNumberGenerator.Create())
 			{
 				rng.GetBytes(cryptBuffer);
 			}
diff --git a/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs b/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs
@@ -723,7 +723,7 @@ private byte[] CreateZipCryptoHeader(long crcValue)
 			InitializeZipCryptoPassword(Password);
 
 			byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];
-			using (var rng = new RNGCryptoServiceProvider())
+			using (var rng = RandomNumberGenerator.Create())
 			{
 				rng.GetBytes(cryptBuffer);
 			}
@@ -808,11 +808,11 @@ public override void Write(byte[] buffer, int offset, int count)
 
 		private void CopyAndEncrypt(byte[] buffer, int offset, int count)
 		{
-			const int CopyBufferSize = 4096;
-			byte[] localBuffer = new byte[CopyBufferSize];
+			const int copyBufferSize = 4096;
+			byte[] localBuffer = new byte[copyBufferSize];
 			while (count > 0)
 			{
-				int bufferCount = (count < CopyBufferSize) ? count : CopyBufferSize;
+				int bufferCount = (count < copyBufferSize) ? count : copyBufferSize;
 
 				Array.Copy(buffer, offset, localBuffer, 0, bufferCount);
 				EncryptBlock(localBuffer, 0, bufferCount);

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ namespace ICSharpCode.SharpZipLib.Encryption`
`6`	`6`	`{`
`7`	`7`	`/// <summary>`
`8`	`8`	`/// PkzipClassic embodies the classic or original encryption facilities used in Pkzip archives.`
`9`		`- /// While it has been superceded by more recent and more powerful algorithms, its still in use and`
	`9`	`+ /// While it has been superseded by more recent and more powerful algorithms, its still in use and`
`10`	`10`	`/// is viable for preventing casual snooping`
`11`	`11`	`/// </summary>`
`12`	`12`	`public abstract class PkzipClassic : SymmetricAlgorithm`
`@@ -444,7 +444,7 @@ public override byte[] Key`
`444`	`444`	`public override void GenerateKey()`
`445`	`445`	`{`
`446`	`446`	`key_ = new byte[12];`
`447`		`- using (var rng = new RNGCryptoServiceProvider())`
	`447`	`+ using (var rng = RandomNumberGenerator.Create())`
`448`	`448`	`{`
`449`	`449`	`rng.GetBytes(key_);`
`450`	`450`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3781,7 +3781,7 @@ private static void CheckClassicPassword(CryptoStream classicCryptoStream, ZipEn`
`3781`	`3781`	`private static void WriteEncryptionHeader(Stream stream, long crcValue)`
`3782`	`3782`	`{`
`3783`	`3783`	`byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];`
`3784`		`- using (var rng = new RNGCryptoServiceProvider())`
	`3784`	`+ using (var rng = RandomNumberGenerator.Create())`
`3785`	`3785`	`{`
`3786`	`3786`	`rng.GetBytes(cryptBuffer);`
`3787`	`3787`	`}`
Original file line number	Diff line number	Diff line change
`@@ -723,7 +723,7 @@ private byte[] CreateZipCryptoHeader(long crcValue)`
`723`	`723`	`InitializeZipCryptoPassword(Password);`
`724`	`724`
`725`	`725`	`byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];`
`726`		`- using (var rng = new RNGCryptoServiceProvider())`
	`726`	`+ using (var rng = RandomNumberGenerator.Create())`
`727`	`727`	`{`
`728`	`728`	`rng.GetBytes(cryptBuffer);`
`729`	`729`	`}`
`@@ -808,11 +808,11 @@ public override void Write(byte[] buffer, int offset, int count)`
`808`	`808`
`809`	`809`	`private void CopyAndEncrypt(byte[] buffer, int offset, int count)`
`810`	`810`	`{`
`811`		`- const int CopyBufferSize = 4096;`
`812`		`- byte[] localBuffer = new byte[CopyBufferSize];`
	`811`	`+ const int copyBufferSize = 4096;`
	`812`	`+ byte[] localBuffer = new byte[copyBufferSize];`
`813`	`813`	`while (count > 0)`
`814`	`814`	`{`
`815`		`- int bufferCount = (count < CopyBufferSize) ? count : CopyBufferSize;`
	`815`	`+ int bufferCount = (count < copyBufferSize) ? count : copyBufferSize;`
`816`	`816`
`817`	`817`	`Array.Copy(buffer, offset, localBuffer, 0, bufferCount);`
`818`	`818`	`EncryptBlock(localBuffer, 0, bufferCount);`