OpenReaderWithPassword() returns nil ("ok,alright") with wrong password (when -mhe=off)
adenis78 opened this issue · 3 comments
When i made compessed file with password (or without password, when password == "") and no header compress, i've get no errors when read files from 7z archive - with that wrong password. I've got file (wrong data) in sevenzip.fs as if input was right, true password:
r, err := sevenzip.OpenReaderWithPassword(PathFile, "somewrongpass")
defer r.Close()
if err != nil { // there is nil, ok - prigram is continued.
err.Println(err)
os.Exit(-1)
}
(but the program continues as there was no error )
May be Im do not undestand something? Is it normal behavior?
I suspect when you created your archive, you didn't pass -mhe=on. This means that the headers are not encrypted, (as well as being uncompressed), which means that you can read the archive metadata without a password. That's all that OpenReader*() does, so it never needs to use the password.
If you only used encryption and no compression, then there's no way to detect that the password is wrong without extracting an entire file and computing its CRC32 value and comparing it to the value that's in its FileHeader struct.
For example, if I create an archive like so:
$ 7z a -ppassword -m0=copy test.7z file1 file2 ...
You can then extract them again using 7z x test.7z with the wrong password typed in. You'll get each file extracted with the right sizes, but the CRC values won't match, that's your only clue.
If you use compression, then the decompression routine will usually error that the decrypted bytes aren't in a valid format without having to read the whole file.
thanks for the answer! I also thought that I would have to manually compare the crc32 file with the value in the archive header.
If this function were in your package/module, it would be a little easier - otherwise, without compressing the archive header, the password does not ensure the identity of the data. I hope I'll add it to the cloned package tomorrow
You don't have to compress the headers, you just have to encrypt them; -mhe=on is independent of -mhc=on|off, you can mix and match both. If the headers are unencrypted then the code is working as expected as the password is never needed in order to open the archive and list the files, (this is also true with the 7z utility).
I could compute the CRC32 value on the fly, however:
- An error can only be triggered when calling
Close()on an opened file after reading the whole file, which means you've already read it in entirety. If you open a file and read anything less than the whole thing, the CRC32 value is meaningless. - It only really makes sense to do this when you're just using encryption and only the copy compression method (i.e. no compression). If you use encryption in combination with any sort of compression, (LZMA, bzip2, etc.) then you'll likely get an error almost immediately when reading a file as the decompression won't produce a valid LZMA, (for example), stream, you won't be able to read the whole file in that case without the correct password.
If you want to compute the CRC yourself, you can do something like this with io.TeeReader():
r, err := sevenzip.OpenReaderWithPassword("archive.7z", "password")
if err != nil {
panic(err)
}
defer r.Close()
h := crc32.NewIEEE()
for _, f := range r.File {
rc, err := f.Open()
if err != nil {
panic(err)
}
defer rc.Close()
h.Reset()
tr := io.TeeReader(rc, h)
// Read from tr until EOF
// Now compare h.Sum(nil) with f.CRC32
}