DevComp/zip-rs-wasm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

finalize AesReader validation and most of decryption

Browse source
This commit is contained in:
Lireer 2020-10-08 18:30:27 +02:00 committed by Lireer
parent 12260f5623
commit d25d6f5f57
3 changed files with 106 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

112
src/aes.rs
View file

@ -1,86 +1,134 @@
use crate::aes_ctr;
use crate::types::AesMode;
use std::io;
use byteorder::{LittleEndian, ReadBytesExt};
use hmac::Hmac;
use hmac::{Hmac, Mac, NewMac};
use sha1::Sha1;
use std::io::{Error, Read};
/// The length of the password verifcation value in bytes
const PWD_VERIFY_LENGTH: u64 = 2;
const PWD_VERIFY_LENGTH: usize = 2;
/// The length of the authentication code in bytes
const AUTH_CODE_LENGTH: u64 = 10;
const AUTH_CODE_LENGTH: usize = 10;
/// The number of iterations used with PBKDF2
const ITERATION_COUNT: u32 = 1000;
/// AES block size in bytes
const BLOCK_SIZE: usize = 16;
fn cipher_from_mode(aes_mode: AesMode, key: &[u8]) -> Box<dyn aes_ctr::AesCipher> {
match aes_mode {
AesMode::Aes128 => Box::new(aes_ctr::AesCtrZipKeyStream::<aes_ctr::Aes128>::new(key))
as Box<dyn aes_ctr::AesCipher>,
AesMode::Aes192 => Box::new(aes_ctr::AesCtrZipKeyStream::<aes_ctr::Aes192>::new(key))
as Box<dyn aes_ctr::AesCipher>,
AesMode::Aes256 => Box::new(aes_ctr::AesCtrZipKeyStream::<aes_ctr::Aes256>::new(key))
as Box<dyn aes_ctr::AesCipher>,
}
}
// an aes encrypted file starts with a salt, whose length depends on the used aes mode
// followed by a 2 byte password verification value
// then the variable length encrypted data
// and lastly a 10 byte authentication code
pub(crate) struct AesReader<R> {
pub struct AesReader<R> {
reader: R,
aes_mode: AesMode,
salt_length: usize,
data_length: u64,
}
impl<R: io::Read> AesReader<R> {
impl<R: Read> AesReader<R> {
pub fn new(reader: R, aes_mode: AesMode, compressed_size: u64) -> AesReader<R> {
let salt_length = aes_mode.salt_length();
let data_length = compressed_size - (PWD_VERIFY_LENGTH + AUTH_CODE_LENGTH + salt_length);
let data_length = compressed_size
- (PWD_VERIFY_LENGTH + AUTH_CODE_LENGTH + aes_mode.salt_length()) as u64;
Self {
reader,
aes_mode,
salt_length: salt_length as usize,
data_length,
}
}
pub fn validate(mut self, password: &[u8]) -> Result<Option<AesReaderValid<R>>, io::Error> {
// the length of the salt depends on the used key size
let mut salt = vec![0; self.salt_length as usize];
self.reader.read_exact(&mut salt).unwrap();
/// Read the AES header bytes and validate the password.
///
/// Even if the validation succeeds, there is still a 1 in 65536 chance that an incorrect
/// password was provided.
/// It isn't possible to check the authentication code in this step. This will be done after
/// reading and decrypting the file.
pub fn validate(mut self, password: &[u8]) -> Result<Option<AesReaderValid<R>>, Error> {
let salt_length = self.aes_mode.salt_length();
let key_length = self.aes_mode.key_length();
let mut salt = vec![0; salt_length];
self.reader.read_exact(&mut salt)?;
// next are 2 bytes used for password verification
let mut pwd_verification_value = vec![0; PWD_VERIFY_LENGTH as usize];
self.reader.read_exact(&mut pwd_verification_value).unwrap();
let mut pwd_verification_value = vec![0; PWD_VERIFY_LENGTH];
self.reader.read_exact(&mut pwd_verification_value)?;
// derive a key from the password and salt
// the length depends on the aes key length
let derived_key_len = (2 * self.aes_mode.key_length() + PWD_VERIFY_LENGTH) as usize;
let derived_key_len = 2 * key_length + PWD_VERIFY_LENGTH;
let mut derived_key: Vec<u8> = vec![0; derived_key_len];
// use PBKDF2 with HMAC-Sha1 to derive the key
pbkdf2::pbkdf2::<Hmac<Sha1>>(password, &salt, ITERATION_COUNT, &mut derived_key);
let decrypt_key = &derived_key[0..key_length];
let hmac_key = &derived_key[key_length..key_length * 2];
let pwd_verify = &derived_key[derived_key_len - 2..];
// the last 2 bytes should equal the password verification value
if pwd_verification_value != &derived_key[derived_key_len - 2..] {
if pwd_verification_value != pwd_verify {
// wrong password
return Ok(None);
}
// the first key_length bytes are used as decryption key
let decrypt_key = &derived_key[0..self.aes_mode.key_length() as usize];
let cipher = cipher_from_mode(self.aes_mode, &decrypt_key);
let hmac = Hmac::<Sha1>::new_varkey(hmac_key).unwrap();
panic!("Validating AesReader");
Ok(Some(AesReaderValid {
reader: self.reader,
data_remaining: self.data_length,
cipher,
hmac,
}))
}
}
pub(crate) struct AesReaderValid<R> {
reader: AesReader<R>,
pub struct AesReaderValid<R: Read> {
reader: R,
data_remaining: u64,
cipher: Box<dyn aes_ctr::AesCipher>,
hmac: Hmac<Sha1>,
}
impl<R: io::Read> io::Read for AesReaderValid<R> {
fn read(&mut self, mut buf: &mut [u8]) -> std::io::Result<usize> {
panic!("Reading from AesReaderValid")
impl<R: Read> Read for AesReaderValid<R> {
fn read(&mut self, buf: &mut [u8]) -> std::io::Result<usize> {
// get the number of bytes to read, compare as u64 to make sure we can read more than
// 2^32 bytes even on 32 bit systems.
let bytes_to_read = self.data_remaining.min(buf.len() as u64) as usize;
let read = self.reader.read(&mut buf[0..bytes_to_read])?;
self.cipher.crypt_in_place(&mut buf[0..read]);
self.data_remaining -= read as u64;
// Update the hmac with the decrypted data
self.hmac.update(&buf[0..read]);
if self.data_remaining <= 0 {
// if there is no data left to read, check the integrity of the data
let mut read_auth = [0; 10];
self.reader.read_exact(&mut read_auth)?;
let computed_auth = self.hmac.finalize_reset();
// FIXME: The mac uses the whole sha1 hash each step
// Zip uses HMAC-Sha1-80, which throws away the second half each time
// see https://www.winzip.com/win/en/aes_info.html#auth-faq
// if computed_auth.into_bytes().as_slice() != &read_auth {
// }
}
Ok(read)
}
}
impl<R: io::Read> AesReaderValid<R> {
impl<R: Read> AesReaderValid<R> {
/// Consumes this decoder, returning the underlying reader.
pub fn into_inner(self) -> R {
self.reader.reader
self.reader
}
}

44
src/aes_ctr.rs
View file

@ -79,24 +79,24 @@ where
C::Cipher: NewBlockCipher,
{
/// Creates a new zip variant AES-CTR key stream.
pub fn new(key: &C::Key) -> AesCtrZipKeyStream<C> {
pub fn new(key: &[u8]) -> AesCtrZipKeyStream<C> {
AesCtrZipKeyStream {
counter: 1,
cipher: C::Cipher::new(GenericArray::from_slice(key.as_ref())),
cipher: C::Cipher::new(GenericArray::from_slice(key)),
buffer: [0u8; AES_BLOCK_SIZE],
pos: AES_BLOCK_SIZE,
}
}
}
impl<C> AesCtrZipKeyStream<C>
impl<C> AesCipher for AesCtrZipKeyStream<C>
where
C: AesKind,
C::Cipher: BlockCipher,
{
/// Decrypt or encrypt given data.
#[inline]
fn crypt(&mut self, mut target: &mut [u8]) {
fn crypt_in_place(&mut self, mut target: &mut [u8]) {
while target.len() > 0 {
if self.pos == AES_BLOCK_SIZE {
// Note: AES block size is always 16 bytes, same as u128.
@ -122,9 +122,13 @@ where
}
}
pub trait AesCipher {
fn crypt_in_place(&mut self, target: &mut [u8]);
}
/// XORs a slice in place with another slice.
#[inline]
pub fn xor(dest: &mut [u8], src: &[u8]) {
fn xor(dest: &mut [u8], src: &[u8]) {
debug_assert_eq!(dest.len(), src.len());
for (lhs, rhs) in dest.iter_mut().zip(src.iter()) {
@ -134,7 +138,7 @@ pub fn xor(dest: &mut [u8], src: &[u8]) {
#[cfg(test)]
mod tests {
use super::{Aes128, Aes192, Aes256, AesCtrZipKeyStream};
use super::{Aes128, Aes192, Aes256, AesCipher, AesCtrZipKeyStream};
// The data used in these tests was generated with p7zip without any compression.
// It's not possible to recreate the exact same data, since a random salt is used for encryption.
@ -153,12 +157,12 @@ mod tests {
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);
let mut plaintext = ciphertext;
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), expected_plaintext.to_vec());
// Round-tripping should yield the ciphertext again.
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), ciphertext.to_vec());
}
@ -175,12 +179,12 @@ mod tests {
let mut key_stream = AesCtrZipKeyStream::<Aes128>::new(&key);
let mut plaintext = ciphertext;
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), expected_plaintext.to_vec());
// Round-tripping should yield the ciphertext again.
let mut key_stream = AesCtrZipKeyStream::<Aes128>::new(&key);
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), ciphertext.to_vec());
}
@ -197,12 +201,12 @@ mod tests {
let mut key_stream = AesCtrZipKeyStream::<Aes192>::new(&key);
let mut plaintext = ciphertext;
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), expected_plaintext.to_vec());
// Round-tripping should yield the ciphertext again.
let mut key_stream = AesCtrZipKeyStream::<Aes192>::new(&key);
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), ciphertext.to_vec());
}
@ -220,12 +224,12 @@ mod tests {
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);
let mut plaintext = ciphertext;
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), expected_plaintext.to_vec());
// Round-tripping should yield the ciphertext again.
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), ciphertext.to_vec());
}
@ -246,12 +250,12 @@ mod tests {
let mut key_stream = AesCtrZipKeyStream::<Aes128>::new(&key);
let mut plaintext = ciphertext;
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), expected_plaintext.to_vec());
// Round-tripping should yield the ciphertext again.
let mut key_stream = AesCtrZipKeyStream::<Aes128>::new(&key);
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), ciphertext.to_vec());
}
@ -272,12 +276,12 @@ mod tests {
let mut key_stream = AesCtrZipKeyStream::<Aes192>::new(&key);
let mut plaintext = ciphertext;
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), expected_plaintext.to_vec());
// Round-tripping should yield the ciphertext again.
let mut key_stream = AesCtrZipKeyStream::<Aes192>::new(&key);
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), ciphertext.to_vec());
}
@ -299,12 +303,12 @@ mod tests {
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);
let mut plaintext = ciphertext;
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), expected_plaintext.to_vec());
// Round-tripping should yield the ciphertext again.
let mut key_stream = AesCtrZipKeyStream::<Aes256>::new(&key);
key_stream.crypt(&mut plaintext);
key_stream.crypt_in_place(&mut plaintext);
assert_eq!(plaintext.to_vec(), ciphertext.to_vec());
}
}

4
src/types.rs
View file

@ -309,11 +309,11 @@ pub enum AesMode {
}
impl AesMode {
pub fn salt_length(&self) -> u64 {
pub fn salt_length(&self) -> usize {
self.key_length() / 2
}
pub fn key_length(&self) -> u64 {
pub fn key_length(&self) -> usize {
match self {
Self::Aes128 => 16,
Self::Aes192 => 24,