search

nih-at / libzip

A C library for reading, creating, and modifying zip archives.
https://libzip.org/
Other
829 stars 268 forks source link

WinZip encryption is not FIPS compliant #250

Closed vmurashev closed 3 years ago

vmurashev commented 3 years ago

If to link libzip with FIPS compliant OpenSSL, it is not possible to use WinZip encryption method There is a crash with the following report in STDERR:

.\crypto\aes\aes_misc.c(74): OpenSSL internal error, assertion failed: Low level API call to cipher AES forbidden in FIPS mode!

Root cause is that the function _zip_crypto_aes_encrypt_block defined as macros to recall AES_encrypt from OpenSSL But AES_encrypt API is not FIPS compliant and should be avoided to be compatible with OpenSSL FIPS mode

0-wiz-0 commented 3 years ago

I don't know anything about OpenSSL's FIPS mode. The code is in lib/zip_crypto_openssl.c, but I think you found that already.

Feel free to come up with a patch, if it is even possible with openssl in FIPS mode; or use a different backend (like GnuTLS or mbed TLS or libreSSL or an OpenSSL installation without FIPS).

vmurashev commented 3 years ago

@0-wiz-0 patch #255 suggested, please take a look

0-wiz-0 commented 3 years ago

Thank you very much! I've just merged it.