Home Explore Help
Register Sign In
luo
/
ShakerControl
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 9f4b180544
Branches Tags
ShakerControl
/
ActiveMQ
/
ICSharpCode.SharpZipLib
/
Encryption
/
ZipAESTransform.cs

ZipAESTransform.cs 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178 
  1. using System;
    2. 

  2. using System.Security.Cryptography;
    3. 

  3. 

  4. namespace ICSharpCode.SharpZipLib.Encryption
    5. 

  5. {
    6. 

  6. 	/// <summary>
    7. 

  7. 	/// Transforms stream using AES in CTR mode
    8. 

  8. 	/// </summary>
    9. 

  9. 	internal class ZipAESTransform : ICryptoTransform
    10. 

  10. 	{
    11. 

  11. 		private const int PWD_VER_LENGTH = 2;
    12. 

  12. 

  13. 		// WinZip use iteration count of 1000 for PBKDF2 key generation
    14. 

  14. 		private const int KEY_ROUNDS = 1000;
    15. 

  15. 

  16. 		// For 128-bit AES (16 bytes) the encryption is implemented as expected.
    17. 

  17. 		// For 256-bit AES (32 bytes) WinZip do full 256 bit AES of the nonce to create the encryption
    18. 

  18. 		// block but use only the first 16 bytes of it, and discard the second half.
    19. 

  19. 		private const int ENCRYPT_BLOCK = 16;
    20. 

  20. 

  21. 		private int _blockSize;
    22. 

  22. 		private readonly ICryptoTransform _encryptor;
    23. 

  23. 		private readonly byte[] _counterNonce;
    24. 

  24. 		private byte[] _encryptBuffer;
    25. 

  25. 		private int _encrPos;
    26. 

  26. 		private byte[] _pwdVerifier;
    27. 

  27. 		private IncrementalHash _hmacsha1;
    28. 

  28. 		private byte[] _authCode = null;
    29. 

  29. 

  30. 		private bool _writeMode;
    31. 

  31. 

  32. 		/// <summary>
    33. 

  33. 		/// Constructor.
    34. 

  34. 		/// </summary>
    35. 

  35. 		/// <param name="key">Password string</param>
    36. 

  36. 		/// <param name="saltBytes">Random bytes, length depends on encryption strength.
    37. 

  37. 		/// 128 bits = 8 bytes, 192 bits = 12 bytes, 256 bits = 16 bytes.</param>
    38. 

  38. 		/// <param name="blockSize">The encryption strength, in bytes eg 16 for 128 bits.</param>
    39. 

  39. 		/// <param name="writeMode">True when creating a zip, false when reading. For the AuthCode.</param>
    40. 

  40. 		///
    41. 

  41. 		public ZipAESTransform(string key, byte[] saltBytes, int blockSize, bool writeMode)
    42. 

  42. 		{
    43. 

  43. 			if (blockSize != 16 && blockSize != 32) // 24 valid for AES but not supported by Winzip
    44. 

  44. 				throw new Exception("Invalid blocksize " + blockSize + ". Must be 16 or 32.");
    45. 

  45. 			if (saltBytes.Length != blockSize / 2)
    46. 

  46. 				throw new Exception("Invalid salt len. Must be " + blockSize / 2 + " for blocksize " + blockSize);
    47. 

  47. 			// initialise the encryption buffer and buffer pos
    48. 

  48. 			_blockSize = blockSize;
    49. 

  49. 			_encryptBuffer = new byte[_blockSize];
    50. 

  50. 			_encrPos = ENCRYPT_BLOCK;
    51. 

  51. 

  52. 			// Performs the equivalent of derive_key in Dr Brian Gladman's pwd2key.c
    53. 

  53. #if NET472_OR_GREATER || NETSTANDARD2_1_OR_GREATER || NETCOREAPP2_0_OR_GREATER||NETCOREAPP
    54. 

  54. 			var pdb = new Rfc2898DeriveBytes(key, saltBytes, KEY_ROUNDS, HashAlgorithmName.SHA1);
    55. 

  55. #else
    56. 

  56. 			var pdb = new Rfc2898DeriveBytes(key, saltBytes, KEY_ROUNDS);
    57. 

  57. #endif
    58. 

  58. 			var rm = Aes.Create();
    59. 

  59. 			rm.Mode = CipherMode.ECB;           // No feedback from cipher for CTR mode
    60. 

  60. 			_counterNonce = new byte[_blockSize];
    61. 

  61. 			byte[] key1bytes = pdb.GetBytes(_blockSize);
    62. 

  62. 			byte[] key2bytes = pdb.GetBytes(_blockSize);
    63. 

  63. 

  64. 			// Use empty IV for AES
    65. 

  65. 			_encryptor = rm.CreateEncryptor(key1bytes, new byte[16]);
    66. 

  66. 			_pwdVerifier = pdb.GetBytes(PWD_VER_LENGTH);
    67. 

  67. 			//
    68. 

  68. 			_hmacsha1 = IncrementalHash.CreateHMAC(HashAlgorithmName.SHA1, key2bytes);
    69. 

  69. 			_writeMode = writeMode;
    70. 

  70. 		}
    71. 

  71. 

  72. 		/// <summary>
    73. 

  73. 		/// Implement the ICryptoTransform method.
    74. 

  74. 		/// </summary>
    75. 

  75. 		public int TransformBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
    76. 

  76. 		{
    77. 

  77. 			// Pass the data stream to the hash algorithm for generating the Auth Code.
    78. 

  78. 			// This does not change the inputBuffer. Do this before decryption for read mode.
    79. 

  79. 			if (!_writeMode)
    80. 

  80. 			{
    81. 

  81. 				_hmacsha1.AppendData(inputBuffer, inputOffset, inputCount);
    82. 

  82. 			}
    83. 

  83. 			// Encrypt with AES in CTR mode. Regards to Dr Brian Gladman for this.
    84. 

  84. 			int ix = 0;
    85. 

  85. 			while (ix < inputCount)
    86. 

  86. 			{
    87. 

  87. 				if (_encrPos == ENCRYPT_BLOCK)
    88. 

  88. 				{
    89. 

  89. 					/* increment encryption nonce   */
    90. 

  90. 					int j = 0;
    91. 

  91. 					while (++_counterNonce[j] == 0)
    92. 

  92. 					{
    93. 

  93. 						++j;
    94. 

  94. 					}
    95. 

  95. 					/* encrypt the nonce to form next xor buffer    */
    96. 

  96. 					_encryptor.TransformBlock(_counterNonce, 0, _blockSize, _encryptBuffer, 0);
    97. 

  97. 					_encrPos = 0;
    98. 

  98. 				}
    99. 

  99. 				outputBuffer[ix + outputOffset] = (byte)(inputBuffer[ix + inputOffset] ^ _encryptBuffer[_encrPos++]);
    100. 

  100. 				//
    101. 

  101. 				ix++;
    102. 

  102. 			}
    103. 

  103. 			if (_writeMode)
    104. 

  104. 			{
    105. 

  105. 				// This does not change the buffer.
    106. 

  106. 				_hmacsha1.AppendData(outputBuffer, outputOffset, inputCount);
    107. 

  107. 			}
    108. 

  108. 			return inputCount;
    109. 

  109. 		}
    110. 

  110. 

  111. 		/// <summary>
    112. 

  112. 		/// Returns the 2 byte password verifier
    113. 

  113. 		/// </summary>
    114. 

  114. 		public byte[] PwdVerifier => _pwdVerifier;
    115. 

  115. 

  116. 		/// <summary>
    117. 

  117. 		/// Returns the 10 byte AUTH CODE to be checked or appended immediately following the AES data stream.
    118. 

  118. 		/// </summary>
    119. 

  119. 		public byte[] GetAuthCode() => _authCode ?? (_authCode = _hmacsha1.GetHashAndReset());
    120. 

  120. 

  121. 		#region ICryptoTransform Members
    122. 

  122. 

  123. 		/// <summary>
    124. 

  124. 		/// Transform final block and read auth code
    125. 

  125. 		/// </summary>
    126. 

  126. 		public byte[] TransformFinalBlock(byte[] inputBuffer, int inputOffset, int inputCount)
    127. 

  127. 		{
    128. 

  128. 			var buffer = Array.Empty<byte>();
    129. 

  129. 

  130. 			// FIXME: When used together with `ZipAESStream`, the final block handling is done inside of it instead
    131. 

  131. 			// This should not be necessary anymore, and the entire `ZipAESStream` class should be replaced with a plain `CryptoStream`
    132. 

  132. 			if (inputCount != 0) {
    133. 

  133. 				if (inputCount > ZipAESStream.AUTH_CODE_LENGTH)
    134. 

  134. 				{
    135. 

  135. 					// At least one byte of data is preceeding the auth code
    136. 

  136. 					int finalBlock = inputCount - ZipAESStream.AUTH_CODE_LENGTH;
    137. 

  137. 					buffer = new byte[finalBlock];
    138. 

  138. 					TransformBlock(inputBuffer, inputOffset, finalBlock, buffer, 0);
    139. 

  139. 				}
    140. 

  140. 				else if (inputCount < ZipAESStream.AUTH_CODE_LENGTH)
    141. 

  141. 					throw new Zip.ZipException("Auth code missing from input stream");
    142. 

  142. 

  143. 				// Read the authcode from the last 10 bytes
    144. 

  144. 				_authCode = _hmacsha1.GetHashAndReset();
    145. 

  145. 			}
    146. 

  146. 			
    147. 

  147. 

  148. 			return buffer;
    149. 

  149. 		}
    150. 

  150. 

  151. 		/// <summary>
    152. 

  152. 		/// Gets the size of the input data blocks in bytes.
    153. 

  153. 		/// </summary>
    154. 

  154. 		public int InputBlockSize => _blockSize;
    155. 

  155. 

  156. 		/// <summary>
    157. 

  157. 		/// Gets the size of the output data blocks in bytes.
    158. 

  158. 		/// </summary>
    159. 

  159. 		public int OutputBlockSize => _blockSize;
    160. 

  160. 

  161. 		/// <summary>
    162. 

  162. 		/// Gets a value indicating whether multiple blocks can be transformed.
    163. 

  163. 		/// </summary>
    164. 

  164. 		public bool CanTransformMultipleBlocks => true;
    165. 

  165. 

  166. 		/// <summary>
    167. 

  167. 		/// Gets a value indicating whether the current transform can be reused.
    168. 

  168. 		/// </summary>
    169. 

  169. 		public bool CanReuseTransform => true;
    170. 

  170. 

  171. 		/// <summary>
    172. 

  172. 		/// Cleanup internal state.
    173. 

  173. 		/// </summary>
    174. 

  174. 		public void Dispose() => _encryptor.Dispose();
    175. 

  175. 

  176. 		#endregion ICryptoTransform Members
    177. 

  177. 	}
    178. 

  178. }
    179.