zlib-ng / minizip-ng

Fork of the popular zip manipulation library found in the zlib distribution.
Other
1.24k stars 431 forks source link

unzip does not verify that the encryption password is correct #36

Closed hduden closed 8 years ago

hduden commented 9 years ago

unzip reads, but then ignores the "passverify" field when opening an encrypted file. All that is needed is to add a memcmp that compares the passverify value from the file with the one that is returned by fcrypt_init.

nmoinvaz commented 8 years ago

"Before decrypting, a verification value can be derived from the decryption password and compared to the value stored with the file, serving as a quick check that will detect most, but not all, incorrect passwords. There is a 1 in 65,536 chance that an incorrect password will yield a matching verification value; therefore, a matching verification value cannot be absolutely relied on to indicate a correct password."

http://www.winzip.com/aes_info.htm#pwd-verify

It is not a reliable indication of whether or not the password is correct or not.

Nekto89 commented 7 years ago

What is the proper way of checking for wrong password (traditional PKWare encryption)? I have problem on OsX and Windows (Visual Studio 2013/2015 x64): minizip sometimes doesn't return any errors during open/read/close if I give wrong password to it. Additional check for unzEndOfFile before unzCloseCurrentFile seems to help but it breaks reading of large zip64 files that were written by minizip from http://www.winimage.com/zLibDll/minizip.html.

nmoinvaz commented 7 years ago

You will also have to read some data with unzReadCurrentFile in order for it to verify that the password is correct.