Closed hduden closed 8 years ago
"Before decrypting, a verification value can be derived from the decryption password and compared to the value stored with the file, serving as a quick check that will detect most, but not all, incorrect passwords. There is a 1 in 65,536 chance that an incorrect password will yield a matching verification value; therefore, a matching verification value cannot be absolutely relied on to indicate a correct password."
http://www.winzip.com/aes_info.htm#pwd-verify
It is not a reliable indication of whether or not the password is correct or not.
What is the proper way of checking for wrong password (traditional PKWare encryption)? I have problem on OsX and Windows (Visual Studio 2013/2015 x64): minizip sometimes doesn't return any errors during open/read/close if I give wrong password to it. Additional check for unzEndOfFile before unzCloseCurrentFile seems to help but it breaks reading of large zip64 files that were written by minizip from http://www.winimage.com/zLibDll/minizip.html.
You will also have to read some data with unzReadCurrentFile in order for it to verify that the password is correct.
unzip reads, but then ignores the "passverify" field when opening an encrypted file. All that is needed is to add a memcmp that compares the passverify value from the file with the one that is returned by fcrypt_init.