From cfb87837e67c79300102f0ad9c5d4ed931521aeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?nils=20m=C3=A5s=C3=A9n?= <nils@piksel.se>
Date: Tue, 10 Nov 2020 18:29:58 +0100
Subject: [PATCH 1/2] Use RNGCryptoServiceProvider for crypto headers

---
 src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs | 4 ++--
 src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs             | 6 ++++--
 src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs     | 8 ++++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs b/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs
index 7a8c55e6e..40f8b15d3 100644
--- a/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs
+++ b/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs
@@ -444,8 +444,8 @@ public override byte[] Key
 		public override void GenerateKey()
 		{
 			key_ = new byte[12];
-			var rnd = new Random();
-			rnd.NextBytes(key_);
+			var rng = new RNGCryptoServiceProvider();
+			rng.GetBytes(key_);
 		}
 
 		/// <summary>
diff --git a/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs b/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs
index 02fd30778..3bc4ddb83 100644
--- a/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs
+++ b/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs
@@ -3713,8 +3713,10 @@ private static void CheckClassicPassword(CryptoStream classicCryptoStream, ZipEn
 		private static void WriteEncryptionHeader(Stream stream, long crcValue)
 		{
 			byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];
-			var rnd = new Random();
-			rnd.NextBytes(cryptBuffer);
+			using (var rng = new RNGCryptoServiceProvider())
+			{
+				rng.GetBytes(cryptBuffer);
+			}
 			cryptBuffer[11] = (byte)(crcValue >> 24);
 			stream.Write(cryptBuffer, 0, cryptBuffer.Length);
 		}
diff --git a/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs b/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs
index 1bd544c2d..2fbfc23e7 100644
--- a/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs
+++ b/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs
@@ -5,6 +5,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Cryptography;
 
 namespace ICSharpCode.SharpZipLib.Zip
 {
@@ -627,8 +628,11 @@ private void WriteEncryptionHeader(long crcValue)
 			InitializePassword(Password);
 
 			byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];
-			var rnd = new Random();
-			rnd.NextBytes(cryptBuffer);
+			using (var rng = new RNGCryptoServiceProvider())
+			{
+				rng.GetBytes(cryptBuffer);
+			}
+
 			cryptBuffer[11] = (byte)(crcValue >> 24);
 
 			EncryptBlock(cryptBuffer, 0, cryptBuffer.Length);

From f0da05affbe0173a35d5f42eecc1ce608767a443 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?nils=20m=C3=A5s=C3=A9n?= <nils@piksel.se>
Date: Tue, 10 Nov 2020 20:11:56 +0100
Subject: [PATCH 2/2] Dispose RNG service after use in ZipCrypto

---
 src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs b/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs
index 40f8b15d3..6730c9dee 100644
--- a/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs
+++ b/src/ICSharpCode.SharpZipLib/Encryption/PkzipClassic.cs
@@ -444,8 +444,10 @@ public override byte[] Key
 		public override void GenerateKey()
 		{
 			key_ = new byte[12];
-			var rng = new RNGCryptoServiceProvider();
-			rng.GetBytes(key_);
+			using (var rng = new RNGCryptoServiceProvider())
+			{
+				rng.GetBytes(key_);
+			}
 		}
 
 		/// <summary>