Update to libzip-1.9.0

.clang-format

@@ -0,0 +1,12 @@
+BasedOnStyle: LLVM
+IndentWidth: 4
+ColumnLimit: 2000
+AlwaysBreakAfterReturnType: TopLevelDefinitions
+KeepEmptyLinesAtTheStartOfBlocks: false
+MaxEmptyLinesToKeep: 2
+BreakBeforeBraces: Custom
+BraceWrapping:
+  BeforeElse: true
+AlignEscapedNewlines: Left
+UseTab: Never
+#PPDirectiveIndentStyle: AfterHash

NEWS.md

@@ -1,3 +1,12 @@
+1.9.0 [2022-06-13]
+==================
+
+* Add `zip_file_is_seekable()`.
+* Improve compatibility with WinAES.
+* Fix encoding handling in `zip_name_locate()`.
+* Add option to `zipcmp` to output summary of changes.
+* Various bug fixes and documentation improvements.
+
 1.8.0 [2021-06-18]
 ==================
 

README.md

@@ -2,7 +2,7 @@
 
 libzip Windows build with Visual Studio.
 
-This version is libzip-1.8.0.
+This version is libzip-1.9.0.
 
 To build, simply open the required solution file, and
 you know how to use Visual Studio, right?

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+We are not maintaining multiple branches, so all fixes will be committed to head and included in the next release.
+
+We take great care to maintain backwards compatibility, so we expect our users to use the latest version.
+
+## Reporting a Vulnerability
+
+You can reach us per email at [email protected]. 
+
+For less sensitive reports, you can also open an issue or pull request on GitHub.

THANKS

@@ -4,6 +4,7 @@ and some other general information gathered from their sources.
 Thanks to these people for suggestions, testing, and bug reports:
 
 Agostino Sarubbo
+Alberto Spin
 Alexander Galanin <[email protected]>
 Alexandr Shadchin <[email protected]>
 Alexey Bykov <[email protected]>
@@ -40,30 +41,35 @@ Elvis Angelaccio
 Erwin Haid <[email protected]>
 Eun-cheol Joo
 Fabrice Fontaine
+Filip Niksic
 Florian Delizy <[email protected]>
 Force Charlie <[email protected]>
 François Simon <[email protected]>
 Frederik Ramm <[email protected]>
 gk7huki <[email protected]>
 Gerard ODonnell
+Giovanni
 Hanno Böck <[email protected]>
 HeeMyung
 Heiko Becker
 Heiko Hund <[email protected]>
 Ilya Voronin
 Info-ZIP group
+Ivan Kolesnikov <[email protected]>
 Jan Weiß <[email protected]>
 Jay Freeman (saurik) <[email protected]>
 jloqfjgk@github
 Joachim Reichel <[email protected]>
 João Custódio <[email protected]>
 Joel Ebrahimi <[email protected]>
 Jono Spiro <[email protected]>
+Julien Matthey <[email protected]>
 Julien Schueller <[email protected]>
 kensington <[email protected]>
 Keith Jones <[email protected]>
 Khaled Mardam-Bey
 Kohei Yoshida <[email protected]>
+Krzesimir Nowak <[email protected]>
 Leith Bade <[email protected]>
 Lubomir I. Ivanov <[email protected]>
 Maël Nison
@@ -72,11 +78,13 @@ Martin Herkt <[email protected]>
 Martin Szulecki <[email protected]>
 Michael Balzer
 Michael Beck <[email protected]>
+Michael Heimpold <[email protected]>
 Michał Janiszewski <[email protected]>
 Michal Vyskocil <[email protected]>
 Mikhail Gusarov <[email protected]>.
 Miklos Vajna
 Morris Hafner
+Muhammad Arslan Kabeer
 Oliver Kaiser <[email protected]>
 Oliver Kuckertz <[email protected]>
 OSS-Fuzz Team
@@ -88,33 +96,43 @@ Paul Sheppard <[email protected]>
 Pavel Raiskup <[email protected]>
 Pierre Joye <[email protected]>
 Pierre-Louis Cabelguen <[email protected]>
+PW Hu <[email protected]>
+Rafał Mikrut
 Randy <[email protected]>
 Remi Collet <[email protected]>
+rezso <[email protected]>
 Richard Schütz
 Rick Carback <[email protected]>
 Rikard Falkeborn <[email protected]>
 Robert Norris <[email protected]>
 Roberto Tirabassi <[email protected]>
+robhz786 <[email protected]>
 Roland Ortloff <[email protected]>
 Rosen Penev <[email protected]>
 Ryan Burns <[email protected]>
+scribam
 Sebastian Kemper <[email protected]>
 Sebastian Schmitt <[email protected]>
 Sergei Ozerov <[email protected]>
+shenlebantongying
 Simon Talbot <[email protected]>
+SpaceIm
 Stephen Bryant <[email protected]>
 Tabata Shintaro <[email protected]>
 Tarmo Pikaro <[email protected]>
 Taylor C. Richberger
 TC
 Tim Lunn <[email protected]>
 Timo Warns <[email protected]>
+Timofey
 Tom Callaway <[email protected]>
 Tomas Hoger <[email protected]>
 Tomáš Malý <[email protected]>
 Torsten Paul <[email protected]>
 Transporter <[email protected]>
 Vassili Courzakis <[email protected]>
+Vitaly Murashev <[email protected]>
 William Lee
+William Ouwehand <[email protected]>
 Wojciech Michalski <[email protected]>
 Wolfgang Glunz <[email protected]>

TODO.md

@@ -1,6 +1,10 @@
 ## Before next release
 
-reconsider zip_source_zip (uncompressed data for whole file not easy to get)
+## Other
+
+- Support extended timestamp extra field (0x5455): mtime overrides dos mtime from dirent, function to get/set all three.  
+
+- reconsider zip_source_zip (uncompressed data for whole file not easy to get)
 
 ## Prefixes
 
@@ -80,6 +84,7 @@ const zip_uint8_t *zip_get_archive_prefix(struct zip *za, zip_uint64_t *lengthp)
 
 ## Documentation
 
+* document valid file paths
 * document: `zip_source_write()`: length can't be > `ZIP_INT64_MAX`
 * document: `ZIP_SOURCE_CLOSE` implementation can't return error
 * keep error codes in man pages in sync

distfiles/download.url

@@ -1 +1 @@
-https://github.com/nih-at/libzip/releases/download/v1.8.0/libzip-1.8.0.tar.xz
+https://github.com/nih-at/libzip/releases/download/v1.9.0/libzip-1.9.0.tar.xz

lib/zip.h

@@ -401,6 +401,7 @@ ZIP_EXTERN const zip_uint8_t *_Nullable zip_file_extra_field_get_by_id(zip_t *_N
 ZIP_EXTERN const char *_Nullable zip_file_get_comment(zip_t *_Nonnull, zip_uint64_t, zip_uint32_t *_Nullable, zip_flags_t);
 ZIP_EXTERN zip_error_t *_Nonnull zip_file_get_error(zip_file_t *_Nonnull);
 ZIP_EXTERN int zip_file_get_external_attributes(zip_t *_Nonnull, zip_uint64_t, zip_flags_t, zip_uint8_t *_Nullable, zip_uint32_t *_Nullable);
+ZIP_EXTERN int zip_file_is_seekable(zip_file_t *_Nonnull);
 ZIP_EXTERN int zip_file_rename(zip_t *_Nonnull, zip_uint64_t, const char *_Nonnull, zip_flags_t);
 ZIP_EXTERN int zip_file_replace(zip_t *_Nonnull, zip_uint64_t, zip_source_t *_Nonnull, zip_flags_t);
 ZIP_EXTERN int zip_file_set_comment(zip_t *_Nonnull, zip_uint64_t, const char *_Nullable, zip_uint16_t, zip_flags_t);

lib/zip_close.c

@@ -1,6 +1,6 @@
 /*
   zip_close.c -- close zip archive and update changes
-  Copyright (C) 1999-2021 Dieter Baron and Thomas Klausner
+  Copyright (C) 1999-2022 Dieter Baron and Thomas Klausner
 
   This file is part of libzip, a library to manipulate ZIP archives.
   The authors can be contacted at <[email protected]>
@@ -448,14 +448,30 @@ add_data(zip_t *za, zip_source_t *src, zip_dirent_t *de, zip_uint32_t changed) {
             zip_source_free(src_final);
             return -1;
         }
+
+        if (de->encryption_method == ZIP_EM_TRAD_PKWARE) {
+            de->bitflags |= ZIP_GPBF_DATA_DESCRIPTOR;
+
+            /* PKWare encryption uses last_mod, make sure it gets the right value. */
+            if (de->changed & ZIP_DIRENT_LAST_MOD) {
+                zip_stat_t st_mtime;
+                zip_stat_init(&st_mtime);
+                st_mtime.valid = ZIP_STAT_MTIME;
+                st_mtime.mtime = de->last_mod;
+                if ((src_tmp = _zip_source_window_new(src_final, 0, -1, &st_mtime, NULL, NULL, 0, &za->error)) == NULL) {
+                    zip_source_free(src_final);
+                    return -1;
+                }
+                zip_source_free(src_final);
+                src_final = src_tmp;
+            }
+        }
+
         if ((src_tmp = impl(za, src_final, de->encryption_method, ZIP_CODEC_ENCODE, password)) == NULL) {
             /* error set by impl */
             zip_source_free(src_final);
             return -1;
         }
-        if (de->encryption_method == ZIP_EM_TRAD_PKWARE) {
-            de->bitflags |= ZIP_GPBF_DATA_DESCRIPTOR;
-        }
 
         zip_source_free(src_final);
         src_final = src_tmp;

lib/zip_crypto_openssl.c

@@ -48,13 +48,45 @@
 _zip_crypto_aes_t *
 _zip_crypto_aes_new(const zip_uint8_t *key, zip_uint16_t key_size, zip_error_t *error) {
     _zip_crypto_aes_t *aes;
+    const EVP_CIPHER* cipher_type;
+
+    switch (key_size) {
+    case 128:
+        cipher_type = EVP_aes_128_ecb();
+        break;
+    case 192:
+        cipher_type = EVP_aes_192_ecb();
+        break;
+    case 256:
+        cipher_type = EVP_aes_256_ecb();
+        break;
+    default:
+        zip_error_set(error, ZIP_ER_INTERNAL, 0);
+        return NULL;
+    }
 
+#ifdef USE_OPENSSL_1_0_API
     if ((aes = (_zip_crypto_aes_t *)malloc(sizeof(*aes))) == NULL) {
         zip_error_set(error, ZIP_ER_MEMORY, 0);
         return NULL;
     }
+    memset(aes, 0, sizeof(*aes));
+#else
+    if ((aes = EVP_CIPHER_CTX_new()) == NULL) {
+        zip_error_set(error, ZIP_ER_MEMORY, 0);
+        return NULL;
+    }
+#endif
 
-    AES_set_encrypt_key(key, key_size, aes);
+    if (EVP_EncryptInit_ex(aes, cipher_type, NULL, key, NULL) != 1) {
+#ifdef USE_OPENSSL_1_0_API
+        free(aes);
+#else
+        EVP_CIPHER_CTX_free(aes);
+#endif
+        zip_error_set(error, ZIP_ER_INTERNAL, 0);
+        return NULL;
+    }
 
     return aes;
 }
@@ -65,8 +97,23 @@ _zip_crypto_aes_free(_zip_crypto_aes_t *aes) {
         return;
     }
 
+#ifdef USE_OPENSSL_1_0_API
+    EVP_CIPHER_CTX_cleanup(aes);
     _zip_crypto_clear(aes, sizeof(*aes));
     free(aes);
+#else
+    EVP_CIPHER_CTX_free(aes);
+#endif
+}
+
+
+bool
+_zip_crypto_aes_encrypt_block(_zip_crypto_aes_t *aes, const zip_uint8_t *in, zip_uint8_t *out) {
+    int len;
+    if (EVP_EncryptUpdate(aes, out, &len, in, ZIP_CRYPTO_AES_BLOCK_LENGTH) != 1) {
+        return false;
+    }
+    return true;
 }
 
 

lib/zip_crypto_openssl.h

@@ -36,14 +36,14 @@
 
 #define HAVE_SECURE_RANDOM
 
-#include <openssl/aes.h>
+#include <openssl/evp.h>
 #include <openssl/hmac.h>
 
-#define _zip_crypto_aes_t AES_KEY
+#define _zip_crypto_aes_t EVP_CIPHER_CTX
 #define _zip_crypto_hmac_t HMAC_CTX
 
 void _zip_crypto_aes_free(_zip_crypto_aes_t *aes);
-#define _zip_crypto_aes_encrypt_block(aes, in, out) (AES_encrypt((in), (out), (aes)), true)
+bool _zip_crypto_aes_encrypt_block(_zip_crypto_aes_t *aes, const zip_uint8_t *in, zip_uint8_t *out);
 _zip_crypto_aes_t *_zip_crypto_aes_new(const zip_uint8_t *key, zip_uint16_t key_size, zip_error_t *error);
 
 #define _zip_crypto_hmac(hmac, data, length) (HMAC_Update((hmac), (data), (length)) == 1)

lib/zip_dirent.c

@@ -664,19 +664,18 @@ _zip_dirent_process_winzip_aes(zip_dirent_t *de, zip_error_t *error) {
 
     crc_valid = true;
     switch (_zip_buffer_get_16(buffer)) {
-    case 1:
-        break;
+        case 1:
+            break;
 
-    case 2:
-        if (de->uncomp_size < 20 /* TODO: constant */) {
+        case 2:
             crc_valid = false;
-        }
-        break;
-
-    default:
-        zip_error_set(error, ZIP_ER_ENCRNOTSUPP, 0);
-        _zip_buffer_free(buffer);
-        return false;
+            /* TODO: When checking consistency, check that crc is 0. */
+            break;
+            
+        default:
+            zip_error_set(error, ZIP_ER_ENCRNOTSUPP, 0);
+            _zip_buffer_free(buffer);
+            return false;
     }
 
     /* vendor */

lib/zip_file_set_mtime.c

@@ -1,6 +1,6 @@
 /*
  zip_file_set_mtime.c -- set modification time of entry.
- Copyright (C) 2014-2020 Dieter Baron and Thomas Klausner
+ Copyright (C) 2014-2022 Dieter Baron and Thomas Klausner
 
  This file is part of libzip, a library to manipulate ZIP archives.
  The authors can be contacted at <[email protected]>
@@ -54,6 +54,11 @@ zip_file_set_mtime(zip_t *za, zip_uint64_t idx, time_t mtime, zip_flags_t flags)
 
     e = za->entry + idx;
 
+    if (e->orig != NULL && e->orig->encryption_method == ZIP_EM_TRAD_PKWARE && !ZIP_ENTRY_CHANGED(e, ZIP_DIRENT_ENCRYPTION_METHOD) && !ZIP_ENTRY_DATA_CHANGED(e)) {
+        zip_error_set(&za->error, ZIP_ER_OPNOTSUPP, 0);
+        return -1;
+    }
+
     if (e->changes == NULL) {
         if ((e->changes = _zip_dirent_clone(e->orig)) == NULL) {
             zip_error_set(&za->error, ZIP_ER_MEMORY, 0);

lib/zip_fseek.c

@@ -49,3 +49,13 @@ zip_fseek(zip_file_t *zf, zip_int64_t offset, int whence) {
 
     return 0;
 }
+
+
+ZIP_EXTERN int
+zip_file_is_seekable(zip_file_t *zfile) {
+    if (!zfile) {
+        return -1;
+    }
+
+    return (zip_source_supports(zfile->src) & ZIP_SOURCE_SEEK) != 0;
+}