Merge pull request #235 from BenjaminRi/infozip-decrypt

Add Info-ZIP password validation
2021-05-11 10:55:36 +01:00 · 2021-05-11 10:55:36 +01:00 · 9e1b1c73e1
commit 9e1b1c73e1
parent 465e7cebd6 aee5ff09bc
4 changed files with 66 additions and 15 deletions
--- a/src/read.rs
+++ b/src/read.rs
@ -4,8 +4,7 @@ use crate::compression::CompressionMethod;
 use crate::crc32::Crc32Reader;
 use crate::result::{InvalidPassword, ZipError, ZipResult};
 use crate::spec;
-use crate::zipcrypto::ZipCryptoReader;
-use crate::zipcrypto::ZipCryptoReaderValid;
+use crate::zipcrypto::{ZipCryptoReader, ZipCryptoReaderValid, ZipCryptoValidator};
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::io::{self, prelude::*};
@ -161,6 +160,8 @@ fn find_content<'a>(
 fn make_crypto_reader<'a>(
    compression_method: crate::compression::CompressionMethod,
    crc32: u32,
+    last_modified_time: DateTime,
+    using_data_descriptor: bool,
    reader: io::Take<&'a mut dyn io::Read>,
    password: Option<&[u8]>,
 ) -> ZipResult<Result<CryptoReader<'a>, InvalidPassword>> {
@ -173,10 +174,17 @@ fn make_crypto_reader<'a>(

    let reader = match password {
        None => CryptoReader::Plaintext(reader),
-        Some(password) => match ZipCryptoReader::new(reader, password).validate(crc32)? {
+        Some(password) => {
+            let validator = if using_data_descriptor {
+                ZipCryptoValidator::InfoZipMsdosTime(last_modified_time.timepart())
+            } else {
+                ZipCryptoValidator::PkzipCrc32(crc32)
+            };
+            match ZipCryptoReader::new(reader, password).validate(validator)? {
                None => return Ok(Err(InvalidPassword)),
                Some(r) => CryptoReader::ZipCrypto(r),
-        },
+            }
+        }
    };
    Ok(Ok(reader))
 }
@ -491,7 +499,14 @@ impl<R: Read + io::Seek> ZipArchive<R> {
        }
        let limit_reader = find_content(data, &mut self.reader)?;

-        match make_crypto_reader(data.compression_method, data.crc32, limit_reader, password) {
+        match make_crypto_reader(
+            data.compression_method,
+            data.crc32,
+            data.last_modified_time,
+            data.using_data_descriptor,
+            limit_reader,
+            password,
+        ) {
            Ok(Ok(crypto_reader)) => Ok(Ok(ZipFile {
                crypto_reader: Some(crypto_reader),
                reader: ZipFileReader::NoReader,
@ -531,6 +546,7 @@ pub(crate) fn central_header_to_zip_file<R: Read + io::Seek>(
    let flags = reader.read_u16::<LittleEndian>()?;
    let encrypted = flags & 1 == 1;
    let is_utf8 = flags & (1 << 11) != 0;
+    let using_data_descriptor = flags & (1 << 3) != 0;
    let compression_method = reader.read_u16::<LittleEndian>()?;
    let last_mod_time = reader.read_u16::<LittleEndian>()?;
    let last_mod_date = reader.read_u16::<LittleEndian>()?;
@ -565,6 +581,7 @@ pub(crate) fn central_header_to_zip_file<R: Read + io::Seek>(
        system: System::from_u8((version_made_by >> 8) as u8),
        version_made_by: version_made_by as u8,
        encrypted,
+        using_data_descriptor,
        compression_method: {
            #[allow(deprecated)]
            CompressionMethod::from_u16(compression_method)
@ -908,6 +925,7 @@ pub fn read_zipfile_from_stream<'a, R: io::Read>(
        system: System::from_u8((version_made_by >> 8) as u8),
        version_made_by: version_made_by as u8,
        encrypted,
+        using_data_descriptor,
        compression_method,
        last_modified_time: DateTime::from_msdos(last_mod_date, last_mod_time),
        crc32,
@ -943,8 +961,15 @@ pub fn read_zipfile_from_stream<'a, R: io::Read>(

    let result_crc32 = result.crc32;
    let result_compression_method = result.compression_method;
-    let crypto_reader =
-        make_crypto_reader(result_compression_method, result_crc32, limit_reader, None)?.unwrap();
+    let crypto_reader = make_crypto_reader(
+        result_compression_method,
+        result_crc32,
+        result.last_modified_time,
+        result.using_data_descriptor,
+        limit_reader,
+        None,
+    )?
+    .unwrap();

    Ok(Some(ZipFile {
        data: Cow::Owned(result),
--- a/src/types.rs
+++ b/src/types.rs
@ -216,6 +216,8 @@ pub struct ZipFileData {
    pub version_made_by: u8,
    /// True if the file is encrypted.
    pub encrypted: bool,
+    /// True if the file uses a data-descriptor section
+    pub using_data_descriptor: bool,
    /// Compression method used to store the file
    pub compression_method: crate::compression::CompressionMethod,
    /// Last modified time. This will only have a 2 second precision.
@ -303,6 +305,7 @@ mod test {
            system: System::Dos,
            version_made_by: 0,
            encrypted: false,
+            using_data_descriptor: false,
            compression_method: crate::compression::CompressionMethod::Stored,
            last_modified_time: DateTime::default(),
            crc32: 0,
--- a/src/write.rs
+++ b/src/write.rs
@ -290,6 +290,7 @@ impl<W: Write + io::Seek> ZipWriter<W> {
                system: System::Unix,
                version_made_by: DEFAULT_VERSION,
                encrypted: false,
+                using_data_descriptor: false,
                compression_method: options.compression_method,
                last_modified_time: options.last_modified_time,
                crc32: raw_values.crc32,
--- a/src/zipcrypto.rs
+++ b/src/zipcrypto.rs
@ -57,6 +57,11 @@ pub struct ZipCryptoReader<R> {
    keys: ZipCryptoKeys,
 }

+pub enum ZipCryptoValidator {
+    PkzipCrc32(u32),
+    InfoZipMsdosTime(u16),
+}
+
 impl<R: std::io::Read> ZipCryptoReader<R> {
    /// Note: The password is `&[u8]` and not `&str` because the
    /// [zip specification](https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.3.TXT)
@ -81,7 +86,7 @@ impl<R: std::io::Read> ZipCryptoReader<R> {
    /// Read the ZipCrypto header bytes and validate the password.
    pub fn validate(
        mut self,
-        crc32_plaintext: u32,
+        validator: ZipCryptoValidator,
    ) -> Result<Option<ZipCryptoReaderValid<R>>, std::io::Error> {
        // ZipCrypto prefixes a file with a 12 byte header
        let mut header_buf = [0u8; 12];
@ -90,6 +95,8 @@ impl<R: std::io::Read> ZipCryptoReader<R> {
            *byte = self.keys.decrypt_byte(*byte);
        }

+        match validator {
+            ZipCryptoValidator::PkzipCrc32(crc32_plaintext) => {
                // PKZIP before 2.0 used 2 byte CRC check.
                // PKZIP 2.0+ used 1 byte CRC check. It's more secure.
                // We also use 1 byte CRC.
@ -97,6 +104,21 @@ impl<R: std::io::Read> ZipCryptoReader<R> {
                if (crc32_plaintext >> 24) as u8 != header_buf[11] {
                    return Ok(None); // Wrong password
                }
+            }
+            ZipCryptoValidator::InfoZipMsdosTime(last_mod_time) => {
+                // Info-ZIP modification to ZipCrypto format:
+                // If bit 3 of the general purpose bit flag is set
+                // (indicates that the file uses a data-descriptor section),
+                // it uses high byte of 16-bit File Time.
+                // Info-ZIP code probably writes 2 bytes of File Time.
+                // We check only 1 byte.
+
+                if (last_mod_time >> 8) as u8 != header_buf[11] {
+                    return Ok(None); // Wrong password
+                }
+            }
+        }
+
        Ok(Some(ZipCryptoReaderValid { reader: self }))
    }
 }