DevComp/zip-rs-wasm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feature gate aes decryption

Browse source
This commit is contained in:
Lireer 2020-10-10 19:38:58 +02:00
parent 0820cc4fe2
commit 354993d906
8 changed files with 139 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
Cargo.toml
View file

@ -11,15 +11,15 @@ Library to support the reading and writing of zip files.
edition = "2018"
[dependencies]
aes = "0.5.0"
aes = { version = "0.5.0", optional = true }
byteorder = "1.3"
bzip2 = { version = "0.4", optional = true }
constant_time_eq = "0.1.5"
constant_time_eq = { version = "0.1.5", optional = true }
crc32fast = "1.0"
flate2 = { version = "1.0.0", default-features = false, optional = true }
hmac = "0.9.0"
pbkdf2 = "0.5.0"
sha-1 = "0.9.1"
hmac = {version = "0.9.0", optional = true }
pbkdf2 = {version = "0.5.0", optional = true }
sha-1 = {version = "0.9.1", optional = true }
thiserror = "1.0"
time = { version = "0.1", optional = true }
@ -29,6 +29,7 @@ rand = "0.7"
walkdir = "2"
[features]
aes-crypto = [ "aes", "constant_time_eq", "hmac", "pbkdf2", "sha-1" ]
deflate = ["flate2/rust_backend"]
deflate-miniz = ["flate2/default"]
deflate-zlib = ["flate2/zlib"]

34
src/aes.rs
View file

@ -1,5 +1,4 @@
use crate::aes_ctr;
use crate::types::AesMode;
use constant_time_eq::constant_time_eq;
use hmac::{Hmac, Mac, NewMac};
use sha1::Sha1;
@ -23,7 +22,38 @@ fn cipher_from_mode(aes_mode: AesMode, key: &[u8]) -> Box<dyn aes_ctr::AesCipher
}
}
// an aes encrypted file starts with a salt, whose length depends on the used aes mode
#[cfg(feature = "aes-crypto")]
#[derive(Copy, Clone, Debug)]
pub enum AesVendorVersion {
Ae1,
Ae2,
}
#[cfg(feature = "aes-crypto")]
/// AES variant used.
#[derive(Copy, Clone, Debug)]
pub enum AesMode {
Aes128,
Aes192,
Aes256,
}
#[cfg(feature = "aes-crypto")]
impl AesMode {
pub fn salt_length(&self) -> usize {
self.key_length() / 2
}
pub fn key_length(&self) -> usize {
match self {
Self::Aes128 => 16,
Self::Aes192 => 24,
Self::Aes256 => 32,
}
}
}
// An aes encrypted file starts with a salt, whose length depends on the used aes mode
// followed by a 2 byte password verification value
// then the variable length encrypted data
// and lastly a 10 byte authentication code

7
src/aes_ctr.rs
View file

@ -152,7 +152,6 @@ mod tests {
0x18, 0x55, 0x24, 0xa3, 0x9e, 0x0e, 0x40, 0xe7, 0x92, 0xad, 0xb2, 0x8a, 0x48, 0xf4,
0x5c, 0xd0, 0xc0, 0x54,
];
eprintln!("{}", key.len());
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);
@ -174,7 +173,6 @@ mod tests {
0xe0, 0x25, 0x7b, 0x57, 0x97, 0x6a, 0xa4, 0x23, 0xab, 0x94, 0xaa, 0x44, 0xfd, 0x47,
0x4f, 0xa5,
];
eprintln!("{}", key.len());
let mut key_stream = AesCtrZipKeyStream::<Aes128>::new(&key);
@ -196,7 +194,6 @@ mod tests {
0xe4, 0x4a, 0x88, 0x52, 0x8f, 0xf7, 0x0b, 0x81, 0x7b, 0x75, 0xf1, 0x74, 0x21, 0x37,
0x8c, 0x90, 0xad, 0xbe, 0x4a, 0x65, 0xa8, 0x96, 0x0e, 0xcc,
];
eprintln!("{}", key.len());
let mut key_stream = AesCtrZipKeyStream::<Aes192>::new(&key);
@ -219,7 +216,6 @@ mod tests {
0xa5, 0xee, 0x3a, 0x4f, 0x0f, 0x4b, 0x29, 0xbd, 0xe9, 0xb8, 0x41, 0x9c, 0x41, 0xa5,
0x15, 0xb2, 0x86, 0xab,
];
eprintln!("{}", key.len());
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);
@ -245,7 +241,6 @@ mod tests {
0x43, 0x2b, 0x6d, 0xbe, 0x05, 0x76, 0x6c, 0x9e, 0xde, 0xca, 0x3b, 0xf8, 0xaf, 0x5d,
0x81, 0xb6,
];
eprintln!("{}", key.len());
let mut key_stream = AesCtrZipKeyStream::<Aes128>::new(&key);
@ -271,7 +266,6 @@ mod tests {
0xac, 0x92, 0x41, 0xba, 0xde, 0xd9, 0x02, 0xfe, 0x40, 0x92, 0x20, 0xf6, 0x56, 0x03,
0xfe, 0xae, 0x1b, 0xba, 0x01, 0x97, 0x97, 0x79, 0xbb, 0xa6,
];
eprintln!("{}", key.len());
let mut key_stream = AesCtrZipKeyStream::<Aes192>::new(&key);
@ -298,7 +292,6 @@ mod tests {
0xe1, 0x4d, 0x4a, 0x77, 0xd4, 0xeb, 0x9e, 0x3d, 0x75, 0xce, 0x9a, 0x3e, 0x10, 0x50,
0xc2, 0x07, 0x36, 0xb6,
];
eprintln!("{}", key.len());
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);

42
src/crc32.rs
View file

@ -10,6 +10,7 @@ pub struct Crc32Reader<R> {
inner: R,
hasher: Hasher,
check: u32,
#[cfg(feature = "aes-crypto")]
/// Signals if `inner` stores aes encrypted data.
/// AE-2 encrypted data doesn't use crc and sets the value to 0.
ae2_encrypted: bool,
@ -18,11 +19,16 @@ pub struct Crc32Reader<R> {
impl<R> Crc32Reader<R> {
/// Get a new Crc32Reader which checks the inner reader against checksum.
/// The check is disabled if `ae2_encrypted == true`.
pub fn new(inner: R, checksum: u32, ae2_encrypted: bool) -> Crc32Reader<R> {
pub(crate) fn new(
inner: R,
checksum: u32,
#[cfg(feature = "aes-crypto")] ae2_encrypted: bool,
) -> Crc32Reader<R> {
Crc32Reader {
inner,
hasher: Hasher::new(),
check: checksum,
#[cfg(feature = "aes-crypto")]
ae2_encrypted,
}
}
@ -38,8 +44,12 @@ impl<R> Crc32Reader<R> {
impl<R: Read> Read for Crc32Reader<R> {
fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
let invalid_check = !buf.is_empty() && !self.check_matches();
#[cfg(feature = "aes-crypto")]
let invalid_check = invalid_check && !self.ae2_encrypted;
let count = match self.inner.read(buf) {
Ok(0) if !buf.is_empty() && !self.check_matches() && !self.ae2_encrypted => {
Ok(0) if invalid_check => {
return Err(io::Error::new(io::ErrorKind::Other, "Invalid checksum"))
}
Ok(n) => n,
@ -60,10 +70,20 @@ mod test {
let data: &[u8] = b"";
let mut buf = [0; 1];
let mut reader = Crc32Reader::new(data, 0, false);
let mut reader = Crc32Reader::new(
data,
0,
#[cfg(feature = "aes-crypto")]
false,
);
assert_eq!(reader.read(&mut buf).unwrap(), 0);
let mut reader = Crc32Reader::new(data, 1, false);
let mut reader = Crc32Reader::new(
data,
1,
#[cfg(feature = "aes-crypto")]
false,
);
assert!(reader
.read(&mut buf)
.unwrap_err()
@ -76,7 +96,12 @@ mod test {
let data: &[u8] = b"1234";
let mut buf = [0; 1];
let mut reader = Crc32Reader::new(data, 0x9be3e0a3, false);
let mut reader = Crc32Reader::new(
data,
0x9be3e0a3,
#[cfg(feature = "aes-crypto")]
false,
);
assert_eq!(reader.read(&mut buf).unwrap(), 1);
assert_eq!(reader.read(&mut buf).unwrap(), 1);
assert_eq!(reader.read(&mut buf).unwrap(), 1);
@ -91,7 +116,12 @@ mod test {
let data: &[u8] = b"1234";
let mut buf = [0; 5];
let mut reader = Crc32Reader::new(data, 0x9be3e0a3, false);
let mut reader = Crc32Reader::new(
data,
0x9be3e0a3,
#[cfg(feature = "aes-crypto")]
false,
);
assert_eq!(reader.read(&mut buf[..0]).unwrap(), 0);
assert_eq!(reader.read(&mut buf).unwrap(), 4);
}

2
src/lib.rs
View file

@ -10,7 +10,9 @@ pub use crate::read::ZipArchive;
pub use crate::types::DateTime;
pub use crate::write::ZipWriter;
#[cfg(feature = "aes-crypto")]
mod aes;
#[cfg(feature = "aes-crypto")]
mod aes_ctr;
mod compression;
mod cp437;

71
src/read.rs
View file

@ -1,12 +1,13 @@
//! Types for reading ZIP archives
use crate::aes::{AesReader, AesReaderValid};
#[cfg(feature = "aes-crypto")]
use crate::aes::{AesMode, AesReader, AesReaderValid, AesVendorVersion};
use crate::compression::CompressionMethod;
use crate::cp437::FromCp437;
use crate::crc32::Crc32Reader;
use crate::result::{InvalidPassword, ZipError, ZipResult};
use crate::spec;
use crate::types::{AesMode, AesVendorVersion, DateTime, System, ZipFileData};
use crate::types::{DateTime, System, ZipFileData};
use crate::zipcrypto::{ZipCryptoReader, ZipCryptoReaderValid, ZipCryptoValidator};
use byteorder::{LittleEndian, ReadBytesExt};
use std::borrow::Cow;
@ -58,6 +59,7 @@ pub struct ZipArchive<R> {
enum CryptoReader<'a> {
Plaintext(io::Take<&'a mut dyn Read>),
ZipCrypto(ZipCryptoReaderValid<io::Take<&'a mut dyn Read>>),
#[cfg(feature = "aes-crypto")]
Aes {
reader: AesReaderValid<io::Take<&'a mut dyn Read>>,
vendor_version: AesVendorVersion,
@ -69,6 +71,7 @@ impl<'a> Read for CryptoReader<'a> {
match self {
CryptoReader::Plaintext(r) => r.read(buf),
CryptoReader::ZipCrypto(r) => r.read(buf),
#[cfg(feature = "aes-crypto")]
CryptoReader::Aes { reader: r, .. } => r.read(buf),
}
}
@ -80,6 +83,7 @@ impl<'a> CryptoReader<'a> {
match self {
CryptoReader::Plaintext(r) => r,
CryptoReader::ZipCrypto(r) => r.into_inner(),
#[cfg(feature = "aes-crypto")]
CryptoReader::Aes { reader: r, .. } => r.into_inner(),
}
}
@ -171,8 +175,8 @@ fn make_crypto_reader<'a>(
using_data_descriptor: bool,
reader: io::Take<&'a mut dyn io::Read>,
password: Option<&[u8]>,
aes_info: Option<(AesMode, AesVendorVersion)>,
compressed_size: u64,
#[cfg(feature = "aes-crypto")] aes_info: Option<(AesMode, AesVendorVersion)>,
#[cfg(feature = "aes-crypto")] compressed_size: u64,
) -> ZipResult<Result<CryptoReader<'a>, InvalidPassword>> {
#[allow(deprecated)]
{
@ -181,8 +185,20 @@ fn make_crypto_reader<'a>(
}
}
#[cfg(not(feature = "aes-crypto"))]
let aes_info: Option<()> = None;
let reader = match (password, aes_info) {
(None, _) => CryptoReader::Plaintext(reader),
#[cfg(feature = "aes-crypto")]
(Some(password), Some((aes_mode, vendor_version))) => {
match AesReader::new(reader, aes_mode, compressed_size).validate(&password)? {
None => return Ok(Err(InvalidPassword)),
Some(r) => CryptoReader::Aes {
reader: r,
vendor_version,
},
}
}
(Some(password), None) => {
let validator = if using_data_descriptor {
ZipCryptoValidator::InfoZipMsdosTime(last_modified_time.timepart())
@ -194,15 +210,7 @@ fn make_crypto_reader<'a>(
Some(r) => CryptoReader::ZipCrypto(r),
}
}
(Some(password), Some((aes_mode, vendor_version))) => {
match AesReader::new(reader, aes_mode, compressed_size).validate(&password)? {
None => return Ok(Err(InvalidPassword)),
Some(r) => CryptoReader::Aes {
reader: r,
vendor_version,
},
}
}
_ => CryptoReader::Plaintext(reader),
};
Ok(Ok(reader))
}
@ -212,14 +220,19 @@ fn make_reader<'a>(
crc32: u32,
reader: CryptoReader<'a>,
) -> ZipFileReader<'a> {
#[cfg(feature = "aes-crypto")]
let ae2_encrypted = matches!(reader, CryptoReader::Aes {
vendor_version: AesVendorVersion::Ae2,
..
});
match compression_method {
CompressionMethod::Stored => {
ZipFileReader::Stored(Crc32Reader::new(reader, crc32, ae2_encrypted))
}
CompressionMethod::Stored => ZipFileReader::Stored(Crc32Reader::new(
reader,
crc32,
#[cfg(feature = "aes-crypto")]
ae2_encrypted,
)),
#[cfg(any(
feature = "deflate",
feature = "deflate-miniz",
@ -227,12 +240,22 @@ fn make_reader<'a>(
))]
CompressionMethod::Deflated => {
let deflate_reader = DeflateDecoder::new(reader);
ZipFileReader::Deflated(Crc32Reader::new(deflate_reader, crc32, ae2_encrypted))
ZipFileReader::Deflated(Crc32Reader::new(
deflate_reader,
crc32,
#[cfg(feature = "aes-crypto")]
ae2_encrypted,
))
}
#[cfg(feature = "bzip2")]
CompressionMethod::Bzip2 => {
let bzip2_reader = BzDecoder::new(reader);
ZipFileReader::Bzip2(Crc32Reader::new(bzip2_reader, crc32, ae2_encrypted))
ZipFileReader::Bzip2(Crc32Reader::new(
bzip2_reader,
crc32,
#[cfg(feature = "aes-crypto")]
ae2_encrypted,
))
}
_ => panic!("Compression method not supported"),
}
@ -526,7 +549,9 @@ impl<R: Read + io::Seek> ZipArchive<R> {
data.using_data_descriptor,
limit_reader,
password,
#[cfg(feature = "aes-crypto")]
data.aes_mode,
#[cfg(feature = "aes-crypto")]
data.compressed_size,
) {
Ok(Ok(crypto_reader)) => Ok(Ok(ZipFile {
@ -621,6 +646,7 @@ pub(crate) fn central_header_to_zip_file<R: Read + io::Seek>(
data_start: 0,
external_attributes: external_file_attributes,
large_file: false,
#[cfg(feature = "aes-crypto")]
aes_mode: None,
};
@ -629,12 +655,15 @@ pub(crate) fn central_header_to_zip_file<R: Read + io::Seek>(
Err(e) => return Err(e),
}
#[cfg(feature = "aes-crypto")]
{
let aes_enabled = result.compression_method == CompressionMethod::AES;
if aes_enabled && result.aes_mode.is_none() {
return Err(ZipError::InvalidArchive(
"AES encryption without AES extra data field",
));
}
}
// Account for shifted zip offsets.
result.header_start += archive_offset;
@ -667,6 +696,7 @@ fn parse_extra_field(file: &mut ZipFileData) -> ZipResult<()> {
len_left -= 8;
}
}
#[cfg(feature = "aes-crypto")]
0x9901 => {
// AES
if len != 7 {
@ -1018,6 +1048,7 @@ pub fn read_zipfile_from_stream<'a, R: io::Read>(
// from standard input, this field is set to zero.'
external_attributes: 0,
large_file: false,
#[cfg(feature = "aes-crypto")]
aes_mode: None,
};
@ -1044,7 +1075,9 @@ pub fn read_zipfile_from_stream<'a, R: io::Read>(
result.using_data_descriptor,
limit_reader,
None,
#[cfg(feature = "aes-crypto")]
None,
#[cfg(feature = "aes-crypto")]
result.compressed_size,
)?
.unwrap();

33
src/types.rs
View file

@ -1,5 +1,8 @@
//! Types that specify what is contained in a ZIP.
#[cfg(feature = "aes-crypto")]
use crate::aes::{AesMode, AesVendorVersion};
#[derive(Clone, Copy, Debug, PartialEq)]
pub enum System {
Dos = 0,
@ -248,6 +251,7 @@ pub struct ZipFileData {
pub external_attributes: u32,
/// Reserve local ZIP64 extra field
pub large_file: bool,
#[cfg(feature = "aes-crypto")]
/// AES mode if applicable
pub aes_mode: Option<(AesMode, AesVendorVersion)>,
}
@ -297,34 +301,6 @@ impl ZipFileData {
}
}
#[derive(Copy, Clone, Debug)]
pub enum AesVendorVersion {
Ae1,
Ae2,
}
/// AES variant used.
#[derive(Copy, Clone, Debug)]
pub enum AesMode {
Aes128,
Aes192,
Aes256,
}
impl AesMode {
pub fn salt_length(&self) -> usize {
self.key_length() / 2
}
pub fn key_length(&self) -> usize {
match self {
Self::Aes128 => 16,
Self::Aes192 => 24,
Self::Aes256 => 32,
}
}
}
#[cfg(test)]
mod test {
#[test]
@ -359,6 +335,7 @@ mod test {
central_header_start: 0,
external_attributes: 0,
large_file: false,
#[cfg(feature = "aes-crypto")]
aes_mode: None,
};
assert_eq!(

1
src/write.rs
View file

@ -334,6 +334,7 @@ impl<W: Write + io::Seek> ZipWriter<W> {
central_header_start: 0,
external_attributes: permissions << 16,
large_file: options.large_file,
#[cfg(feature = "aes-crypto")]
aes_mode: None,
};
write_local_file_header(writer, &file)?;