New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support AES decryption #203
Merged
Merged
Changes from 29 commits
Commits
Show all changes
38 commits
Select commit
Hold shift + click to select a range
a265ba7
Create initial `aes_ctr` module
mbr 9f6ee0f
Add `crypt` convenience function
mbr a5d1905
Simpify `aes_ctr` API to just `crypt`
mbr 4afe4d3
Optimize AES code, use less copies
mbr b3ec813
Remove `arrayvec` dependency
mbr 4877a6a
test different aes modes and data sizes
Lireer 852ab62
initial aes reader
Lireer 12260f5
disable crc32 checks when handling aes encrypted data
Lireer d25d6f5
finalize AesReader validation and most of decryption
Lireer e69df5c
finalize aes decryption
Lireer 8ffc2d1
cargo fmt and clippy
Lireer ff23539
differentiate between ae1 and ae2
Lireer 2911282
fix benchmarks
Lireer 0820cc4
fix more clippy warnings
Lireer 354993d
feature gate aes decryption
Lireer 5532fd6
Document aes related modules
Lireer 5f0ae55
Document possible panics
Lireer ed94e8b
test if using the wrong key size panics
Lireer 48b52a7
move AesMode and AesVendorVersion out of aes-crypto feature
Lireer 8f352c3
add missing documentation
Lireer 75e8f6b
use less feature gates if no further dependencies are needed
Lireer c5e55c0
bump MSRV to 1.42
Lireer 09ad713
update crypto dependencies
Lireer 46f65d4
add aes-crypto feature to default and update README
Lireer d7f0a18
Merge remote-tracking branch 'zip-rs/zip/master'
Lireer bb97711
explain trait guarantee violation of read impl
Lireer 35d8f04
"fix" clippy warnings
Lireer 3a71893
run cargo fmt
Lireer c17df86
test decryption of aes encrypted files
Lireer 85bb91f
update aes-crypto dependencies
Lireer 2e06844
fix clippy warning and shorten links in tests
Lireer cfc74a5
use same SHA-1 crate with new name
Lireer fddad89
deduplicate aes testing code
Lireer 49f7501
add and use AES associated constant
Lireer 3d56021
use hmac reset feature for finalize_reset method
Lireer 8f061f8
fix nightly clippy warning
Lireer 91745d5
use `assert_eq` instead of `debug_assert_eq`
Lireer c8aece8
fix nightly clippy warnings in examples
Lireer File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,177 @@ | ||
//! Implementation of the AES decryption for zip files. | ||
//! | ||
//! This was implemented according to the [WinZip specification](https://www.winzip.com/win/en/aes_info.html). | ||
//! Note that using CRC with AES depends on the used encryption specification, AE-1 or AE-2. | ||
//! If the file is marked as encrypted with AE-2 the CRC field is ignored, even if it isn't set to 0. | ||
|
||
use crate::aes_ctr; | ||
use crate::types::AesMode; | ||
use constant_time_eq::constant_time_eq; | ||
use hmac::{Hmac, Mac, NewMac}; | ||
use sha1::Sha1; | ||
use std::io::{self, Read}; | ||
|
||
/// The length of the password verifcation value in bytes | ||
const PWD_VERIFY_LENGTH: usize = 2; | ||
/// The length of the authentication code in bytes | ||
const AUTH_CODE_LENGTH: usize = 10; | ||
/// The number of iterations used with PBKDF2 | ||
const ITERATION_COUNT: u32 = 1000; | ||
|
||
/// Create a AesCipher depending on the used `AesMode` and the given `key`. | ||
/// | ||
/// # Panics | ||
/// | ||
/// This panics if `key` doesn't have the correct size for the chosen aes mode. | ||
fn cipher_from_mode(aes_mode: AesMode, key: &[u8]) -> Box<dyn aes_ctr::AesCipher> { | ||
match aes_mode { | ||
AesMode::Aes128 => Box::new(aes_ctr::AesCtrZipKeyStream::<aes_ctr::Aes128>::new(key)) | ||
as Box<dyn aes_ctr::AesCipher>, | ||
AesMode::Aes192 => Box::new(aes_ctr::AesCtrZipKeyStream::<aes_ctr::Aes192>::new(key)) | ||
as Box<dyn aes_ctr::AesCipher>, | ||
AesMode::Aes256 => Box::new(aes_ctr::AesCtrZipKeyStream::<aes_ctr::Aes256>::new(key)) | ||
as Box<dyn aes_ctr::AesCipher>, | ||
} | ||
} | ||
|
||
// An aes encrypted file starts with a salt, whose length depends on the used aes mode | ||
// followed by a 2 byte password verification value | ||
// then the variable length encrypted data | ||
// and lastly a 10 byte authentication code | ||
pub struct AesReader<R> { | ||
reader: R, | ||
aes_mode: AesMode, | ||
data_length: u64, | ||
} | ||
|
||
impl<R: Read> AesReader<R> { | ||
pub fn new(reader: R, aes_mode: AesMode, compressed_size: u64) -> AesReader<R> { | ||
let data_length = compressed_size | ||
- (PWD_VERIFY_LENGTH + AUTH_CODE_LENGTH + aes_mode.salt_length()) as u64; | ||
|
||
Self { | ||
reader, | ||
aes_mode, | ||
data_length, | ||
} | ||
} | ||
|
||
/// Read the AES header bytes and validate the password. | ||
/// | ||
/// Even if the validation succeeds, there is still a 1 in 65536 chance that an incorrect | ||
/// password was provided. | ||
/// It isn't possible to check the authentication code in this step. This will be done after | ||
/// reading and decrypting the file. | ||
/// | ||
/// # Returns | ||
/// | ||
/// If the password verification failed `Ok(None)` will be returned to match the validate | ||
/// method of ZipCryptoReader. | ||
pub fn validate(mut self, password: &[u8]) -> io::Result<Option<AesReaderValid<R>>> { | ||
let salt_length = self.aes_mode.salt_length(); | ||
let key_length = self.aes_mode.key_length(); | ||
|
||
let mut salt = vec![0; salt_length]; | ||
self.reader.read_exact(&mut salt)?; | ||
|
||
// next are 2 bytes used for password verification | ||
let mut pwd_verification_value = vec![0; PWD_VERIFY_LENGTH]; | ||
self.reader.read_exact(&mut pwd_verification_value)?; | ||
|
||
// derive a key from the password and salt | ||
// the length depends on the aes key length | ||
let derived_key_len = 2 * key_length + PWD_VERIFY_LENGTH; | ||
let mut derived_key: Vec<u8> = vec![0; derived_key_len]; | ||
|
||
// use PBKDF2 with HMAC-Sha1 to derive the key | ||
pbkdf2::pbkdf2::<Hmac<Sha1>>(password, &salt, ITERATION_COUNT, &mut derived_key); | ||
let decrypt_key = &derived_key[0..key_length]; | ||
let hmac_key = &derived_key[key_length..key_length * 2]; | ||
let pwd_verify = &derived_key[derived_key_len - 2..]; | ||
|
||
// the last 2 bytes should equal the password verification value | ||
if pwd_verification_value != pwd_verify { | ||
// wrong password | ||
return Ok(None); | ||
} | ||
|
||
let cipher = cipher_from_mode(self.aes_mode, decrypt_key); | ||
let hmac = Hmac::<Sha1>::new_varkey(hmac_key).unwrap(); | ||
|
||
Ok(Some(AesReaderValid { | ||
reader: self.reader, | ||
data_remaining: self.data_length, | ||
cipher, | ||
hmac, | ||
})) | ||
} | ||
} | ||
|
||
/// A reader for aes encrypted files, which has already passed the first password check. | ||
/// | ||
/// There is a 1 in 65536 chance that an invalid password passes that check. | ||
/// After the data has been read and decrypted an HMAC will be checked and provide a final means | ||
/// to check if either the password is invalid or if the data has been changed. | ||
pub struct AesReaderValid<R: Read> { | ||
reader: R, | ||
data_remaining: u64, | ||
cipher: Box<dyn aes_ctr::AesCipher>, | ||
hmac: Hmac<Sha1>, | ||
} | ||
|
||
impl<R: Read> Read for AesReaderValid<R> { | ||
/// This implementation does not fulfill all requirements set in the trait documentation. | ||
/// | ||
/// ```txt | ||
/// "If an error is returned then it must be guaranteed that no bytes were read." | ||
/// ``` | ||
/// | ||
/// Whether this applies to errors that occur while reading the encrypted data depends on the | ||
/// underlying reader. If the error occurs while verifying the HMAC, the reader might become | ||
/// practically unusable, since its position after the error is not known. | ||
fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> { | ||
if self.data_remaining == 0 { | ||
return Ok(0); | ||
} | ||
|
||
// get the number of bytes to read, compare as u64 to make sure we can read more than | ||
// 2^32 bytes even on 32 bit systems. | ||
let bytes_to_read = self.data_remaining.min(buf.len() as u64) as usize; | ||
let read = self.reader.read(&mut buf[0..bytes_to_read])?; | ||
self.data_remaining -= read as u64; | ||
|
||
// Update the hmac with the encrypted data | ||
self.hmac.update(&buf[0..read]); | ||
|
||
// decrypt the data | ||
self.cipher.crypt_in_place(&mut buf[0..read]); | ||
|
||
// if there is no data left to read, check the integrity of the data | ||
if self.data_remaining == 0 { | ||
// Zip uses HMAC-Sha1-80, which only uses the first half of the hash | ||
// see https://www.winzip.com/win/en/aes_info.html#auth-faq | ||
let mut read_auth_code = [0; AUTH_CODE_LENGTH]; | ||
self.reader.read_exact(&mut read_auth_code)?; | ||
let computed_auth_code = &self.hmac.finalize_reset().into_bytes()[0..AUTH_CODE_LENGTH]; | ||
|
||
// use constant time comparison to mitigate timing attacks | ||
if !constant_time_eq(computed_auth_code, &read_auth_code) { | ||
return Err( | ||
io::Error::new( | ||
io::ErrorKind::InvalidData, | ||
"Invalid authentication code, this could be due to an invalid password or errors in the data" | ||
) | ||
); | ||
} | ||
} | ||
|
||
Ok(read) | ||
} | ||
} | ||
|
||
impl<R: Read> AesReaderValid<R> { | ||
/// Consumes this decoder, returning the underlying reader. | ||
pub fn into_inner(self) -> R { | ||
self.reader | ||
} | ||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about using the latest aes version 0.7.5?
There seems to be breaking changes in the API.
Thank you for the hard work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried updating aes, pbkdf2, hmac and sha-1 (now sha1) together since they all use the same dependencies. Since this required some small changes to the decryption code, I also put in some more (possibly meaningless) checks.
This increased the performance of AES-128 from 42 MB/s to around 160 - 180 MB/s.