search

gildas-lormeau / zip.js

JavaScript library to zip and unzip files supporting multi-core compression, compression streams, zip64, split files and encryption.
https://gildas-lormeau.github.io/zip.js
BSD 3-Clause "New" or "Revised" License
3.38k stars 510 forks source link

misc.hmacSha1 in sjcl.js is broken for keys longer than 16 #390

Closed andreasdamm closed 1 year ago

andreasdamm commented 1 year ago

When trying to read an AES encrypted zip file in an environment that does not expose importKey, an exception is encountered when using a password whose length when converted to bits exceeds a block size of 16.

Exception: TypeError: Hash.hash is not a function

Fix:

diff --git a/lib/core/streams/codecs/sjcl.js b/lib/core/streams/codecs/sjcl.js
index 24544dbee63df2f1b0b95740c641af550c9f24c5..abd44b705d7bb61c9e2c090c6057e0a2a7c02e99 100644
--- a/lib/core/streams/codecs/sjcl.js
+++ b/lib/core/streams/codecs/sjcl.js
@@ -774,7 +774,7 @@ misc.hmacSha1 = class {
        const bs = hmac._baseHash[0].blockSize / 32;

        if (key.length > bs) {
-           key = Hash.hash(key);
+           key = new Hash().update(key).finalize();
        }

        for (let i = 0; i < bs; i++) {
gildas-lormeau commented 1 year ago

Thank you very much for the bug report, I have integrated your fix in the version 2.6.62 that I have just published.