253 lines
8.5 KiB
PHP
253 lines
8.5 KiB
PHP
<?php
|
|
|
|
namespace PhpZip\Crypto;
|
|
|
|
use PhpZip\Exception\RuntimeException;
|
|
use PhpZip\Exception\ZipAuthenticationException;
|
|
use PhpZip\Exception\ZipCryptoException;
|
|
use PhpZip\Extra\Fields\WinZipAesEntryExtraField;
|
|
use PhpZip\Model\ZipEntry;
|
|
use PhpZip\Util\CryptoUtil;
|
|
|
|
/**
|
|
* WinZip Aes Encryption Engine.
|
|
*
|
|
* @see https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT .ZIP File Format Specification
|
|
* @author Ne-Lexa alexey@nelexa.ru
|
|
* @license MIT
|
|
*/
|
|
class WinZipAesEngine implements ZipEncryptionEngine
|
|
{
|
|
/**
|
|
* The block size of the Advanced Encryption Specification (AES) Algorithm
|
|
* in bits (AES_BLOCK_SIZE_BITS).
|
|
*/
|
|
const AES_BLOCK_SIZE_BITS = 128;
|
|
const PWD_VERIFIER_BITS = 16;
|
|
/**
|
|
* The iteration count for the derived keys of the cipher, KLAC and MAC.
|
|
*/
|
|
const ITERATION_COUNT = 1000;
|
|
/**
|
|
* @var ZipEntry
|
|
*/
|
|
private $entry;
|
|
|
|
/**
|
|
* WinZipAesEngine constructor.
|
|
* @param ZipEntry $entry
|
|
*/
|
|
public function __construct(ZipEntry $entry)
|
|
{
|
|
$this->entry = $entry;
|
|
}
|
|
|
|
/**
|
|
* Decrypt from stream resource.
|
|
*
|
|
* @param string $content Input stream buffer
|
|
* @return string
|
|
* @throws ZipAuthenticationException
|
|
* @throws ZipCryptoException
|
|
*/
|
|
public function decrypt($content)
|
|
{
|
|
$extraFieldsCollection = $this->entry->getExtraFieldsCollection();
|
|
|
|
if (!isset($extraFieldsCollection[WinZipAesEntryExtraField::getHeaderId()])) {
|
|
throw new ZipCryptoException($this->entry->getName() . " (missing extra field for WinZip AES entry)");
|
|
}
|
|
|
|
/**
|
|
* @var WinZipAesEntryExtraField $field
|
|
*/
|
|
$field = $extraFieldsCollection[WinZipAesEntryExtraField::getHeaderId()];
|
|
|
|
// Get key strength.
|
|
$keyStrengthBits = $field->getKeyStrength();
|
|
$keyStrengthBytes = $keyStrengthBits / 8;
|
|
|
|
$pos = $keyStrengthBytes / 2;
|
|
$salt = substr($content, 0, $pos);
|
|
$passwordVerifier = substr($content, $pos, self::PWD_VERIFIER_BITS / 8);
|
|
$pos += self::PWD_VERIFIER_BITS / 8;
|
|
|
|
$sha1Size = 20;
|
|
|
|
// Init start, end and size of encrypted data.
|
|
$start = $pos;
|
|
$endPos = strlen($content);
|
|
$footerSize = $sha1Size / 2;
|
|
$end = $endPos - $footerSize;
|
|
$size = $end - $start;
|
|
|
|
if (0 > $size) {
|
|
throw new ZipCryptoException($this->entry->getName() . " (false positive WinZip AES entry is too short)");
|
|
}
|
|
|
|
// Load authentication code.
|
|
$authenticationCode = substr($content, $end, $footerSize);
|
|
if ($end + $footerSize !== $endPos) {
|
|
// This should never happen unless someone is writing to the
|
|
// end of the file concurrently!
|
|
throw new ZipCryptoException("Expected end of file after WinZip AES authentication code!");
|
|
}
|
|
|
|
$password = $this->entry->getPassword();
|
|
assert($password !== null);
|
|
assert(self::AES_BLOCK_SIZE_BITS <= $keyStrengthBits);
|
|
|
|
// WinZip 99-character limit
|
|
// @see https://sourceforge.net/p/p7zip/discussion/383044/thread/c859a2f0/
|
|
$password = substr($password, 0, 99);
|
|
$ctrIvSize = self::AES_BLOCK_SIZE_BITS / 8;
|
|
$iv = str_repeat(chr(0), $ctrIvSize);
|
|
do {
|
|
// Here comes the strange part about WinZip AES encryption:
|
|
// Its unorthodox use of the Password-Based Key Derivation
|
|
// Function 2 (PBKDF2) of PKCS #5 V2.0 alias RFC 2898.
|
|
// Yes, the password verifier is only a 16 bit value.
|
|
// So we must use the MAC for password verification, too.
|
|
$keyParam = hash_pbkdf2(
|
|
"sha1",
|
|
$password,
|
|
$salt,
|
|
self::ITERATION_COUNT,
|
|
(2 * $keyStrengthBits + self::PWD_VERIFIER_BITS) / 8,
|
|
true
|
|
);
|
|
$key = substr($keyParam, 0, $keyStrengthBytes);
|
|
$sha1MacParam = substr($keyParam, $keyStrengthBytes, $keyStrengthBytes);
|
|
// Verify password.
|
|
} while (!$passwordVerifier === substr($keyParam, 2 * $keyStrengthBytes));
|
|
|
|
$content = substr($content, $start, $size);
|
|
$mac = hash_hmac('sha1', $content, $sha1MacParam, true);
|
|
|
|
if (substr($mac, 0, 10) !== $authenticationCode) {
|
|
throw new ZipAuthenticationException($this->entry->getName() .
|
|
" (authenticated WinZip AES entry content has been tampered with)");
|
|
}
|
|
|
|
return self::aesCtrSegmentIntegerCounter(false, $content, $key, $iv);
|
|
}
|
|
|
|
/**
|
|
* Decryption or encryption AES-CTR with Segment Integer Count (SIC).
|
|
*
|
|
* @param bool $encrypted If true encryption else decryption
|
|
* @param string $str Data
|
|
* @param string $key Key
|
|
* @param string $iv IV
|
|
* @return string
|
|
*/
|
|
private static function aesCtrSegmentIntegerCounter($encrypted = true, $str, $key, $iv)
|
|
{
|
|
$numOfBlocks = ceil(strlen($str) / 16);
|
|
$ctrStr = '';
|
|
for ($i = 0; $i < $numOfBlocks; ++$i) {
|
|
for ($j = 0; $j < 16; ++$j) {
|
|
$n = ord($iv[$j]);
|
|
if (0x100 === ++$n) {
|
|
// overflow, set this one to 0, increment next
|
|
$iv[$j] = chr(0);
|
|
} else {
|
|
// no overflow, just write incremented number back and abort
|
|
$iv[$j] = chr($n);
|
|
break;
|
|
}
|
|
}
|
|
$data = substr($str, $i * 16, 16);
|
|
$ctrStr .= $encrypted ?
|
|
self::encryptCtr($data, $key, $iv) :
|
|
self::decryptCtr($data, $key, $iv);
|
|
}
|
|
return $ctrStr;
|
|
}
|
|
|
|
/**
|
|
* Encrypt AES-CTR.
|
|
*
|
|
* @param string $data Raw data
|
|
* @param string $key Aes key
|
|
* @param string $iv Aes IV
|
|
* @return string Encrypted data
|
|
* @throws RuntimeException
|
|
*/
|
|
private static function encryptCtr($data, $key, $iv)
|
|
{
|
|
if (extension_loaded("openssl")) {
|
|
$numBits = strlen($key) * 8;
|
|
return openssl_encrypt($data, 'AES-' . $numBits . '-CTR', $key, OPENSSL_RAW_DATA, $iv);
|
|
} elseif (extension_loaded("mcrypt")) {
|
|
return mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, "ctr", $iv);
|
|
} else {
|
|
throw new RuntimeException('Extension openssl or mcrypt not loaded');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Decrypt AES-CTR.
|
|
*
|
|
* @param string $data Encrypted data
|
|
* @param string $key Aes key
|
|
* @param string $iv Aes IV
|
|
* @return string Raw data
|
|
* @throws RuntimeException
|
|
*/
|
|
private static function decryptCtr($data, $key, $iv)
|
|
{
|
|
if (extension_loaded("openssl")) {
|
|
$numBits = strlen($key) * 8;
|
|
return openssl_decrypt($data, 'AES-' . $numBits . '-CTR', $key, OPENSSL_RAW_DATA, $iv);
|
|
} elseif (extension_loaded("mcrypt")) {
|
|
return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $data, "ctr", $iv);
|
|
} else {
|
|
throw new RuntimeException('Extension openssl or mcrypt not loaded');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Encryption string.
|
|
*
|
|
* @param string $content
|
|
* @return string
|
|
*/
|
|
public function encrypt($content)
|
|
{
|
|
// Init key strength.
|
|
$password = $this->entry->getPassword();
|
|
assert($password !== null);
|
|
|
|
// WinZip 99-character limit
|
|
// @see https://sourceforge.net/p/p7zip/discussion/383044/thread/c859a2f0/
|
|
$password = substr($password, 0, 99);
|
|
|
|
$keyStrengthBits = WinZipAesEntryExtraField::getKeyStrangeFromEncryptionMethod($this->entry->getEncryptionMethod());
|
|
$keyStrengthBytes = $keyStrengthBits / 8;
|
|
|
|
assert(self::AES_BLOCK_SIZE_BITS <= $keyStrengthBits);
|
|
|
|
$salt = CryptoUtil::randomBytes($keyStrengthBytes / 2);
|
|
|
|
$keyParam = hash_pbkdf2("sha1", $password, $salt, self::ITERATION_COUNT, (2 * $keyStrengthBits + self::PWD_VERIFIER_BITS) / 8, true);
|
|
$sha1HMacParam = substr($keyParam, $keyStrengthBytes, $keyStrengthBytes);
|
|
|
|
// Can you believe they "forgot" the nonce in the CTR mode IV?! :-(
|
|
$ctrIvSize = self::AES_BLOCK_SIZE_BITS / 8;
|
|
$iv = str_repeat(chr(0), $ctrIvSize);
|
|
|
|
$key = substr($keyParam, 0, $keyStrengthBytes);
|
|
|
|
$content = self::aesCtrSegmentIntegerCounter(true, $content, $key, $iv);
|
|
|
|
$mac = hash_hmac('sha1', $content, $sha1HMacParam, true);
|
|
|
|
return ($salt .
|
|
substr($keyParam, 2 * $keyStrengthBytes, self::PWD_VERIFIER_BITS / 8) .
|
|
$content .
|
|
substr($mac, 0, 10)
|
|
);
|
|
}
|
|
}
|