£ symbol in master password prevents decryption of exported zip

[bluto32]

Describe the bug
If the master password contains the £ (British currency) character, 7-Zip fails to decrypt an encrypted data export from Raivo. The error message given by 7-Zip is simply "Wrong password". This is with the latest version of Windows 10 Pro 64-bit.

To Reproduce

1. Reset (or reinstall) Raivo.
2. Choose a master password which includes the £ symbol.
3. Acquire some OTPs.
4. Click on Settings, Export OTPs, Export, Mail
5. Send zip via email to Windows PC
6. Attempt to extract files from zip with 7-Zip using master password.
7. "Wrong password" error given by 7-zip.

Smartphone
iPhone 7
iOS 14.7.1 (up to date)

Conjecture
Could this arise because the £ symbol has different extended ASCII codes depending on which character set is being used? Maybe Raivo and 7-Zip employ different character sets? If so, other characters are likely to be affected.
e.g. https://en.wikipedia.org/wiki/ISO/IEC_8859

I had no such trouble when including the & or ? characters (without £) in the master password. But these have ASCII codes under 128, so perhaps they are safer?

P.S. Apologies if you also get this bug notification on the Raivo Freshdesk site. I tried to submit it there a few days ago (as a guest, without registering), but was unable to create an account afterwards to check the ticket.

[tijme]

Hi @bluto32,

Thanks for the detailed bug report. I did not get any notification from Freshdesk, so good that you reported it here!

I will try to look at the bug when I have the time.

[TrayBer]

I ran into the same problem.

I set a new password, but when I unzip the exported file, it always prompts a password error.

Also, is it possible to give an option - to compress the file without setting a password? It would also avoid the case of password forgetting.

[bluto32]

Just an update on the £ bug. Having experimented with various passwords in Raivo, I have now found that any of the following four symbols will prevent Windows 7-Zip from decrypting the exported archive:
£ € ¥ •

All other symbols are absolutely fine in the password and cause no problems:
/ - : ; ( ) & @ " . , ? ! ' _ \ | ~ < > $

As an experiment, I typed in the same four problematic symbols into a blank document in "Notes" on my iPhone, and sent this by email to my PC. They showed up fine in my email and could be copied and pasted into a Notepad document without any problems.

[tijme]

Hi @bluto32,

I was debugging this issue and found out that the built-in Archivers in iOS and MacOS are able to decrypt the ZIP-archive. There seems to be a difference in the way the built-in Archiver and third-party Archiver handle these characters. Not sure what yet. Not sure if it's character set.

[bluto32]

Thanks for looking into it. Your comment prompted me to try decrypting Raivo exported zip files by other means. (I should point out that I am using an obsolete 2FA token for these tests, and not uploading sensitive information!)

Problem Password (with a £): qwertyuiop£

1. Windows 10 built-in unzipper: Doesn't even ask for a password and goes straight to an error:
   Error 0x80004005: Unspecified error
2. Online ezyZip.com extractor: Success!
3. Online extract.me: Repeatedly prompts for a password - never gets any further.

Nice Password: qwertyuiop

1. Windows 10 built-in unzipper: Again, doesn't even ask for a password and goes straight to an error:
   Error 0x80004005: Unspecified error"
2. Online ezyZip.com extractor: Success!
3. Online extract.me: Accepts the password, but gives an error upon extraction:
   Unable to open file raivo-otp-export.zip. That might be because the file is not supported or is damaged.

I was particularly surprised by the difficulties caused by a "nice" password. I haven't yet tried any other desktop unzippers (such as WinZip) as I don't want to muck up the registry, which is currently tied to 7-Zip.

Hope some of the above helps with your detective work. It seems to suggest that there are two separate issues at play, neither of which may have anything to do with Raivo after all:

• Some zippers (such as 7-Zip) deal with the 4 problem characters differently to iOS, but are otherwise compatible when these characters are not used.
• Other zippers (such as Windows 10 unzip) are completely incompatible with encrypted iOS zips, however straightforward the password characters are.

[tijme]

This is fixed on the dev branch and will soon (in a few weeks) be pushed to public.

[tijme]

Sorry that it took so long...

[tijme]

Closing it as it is fixed and will be published within a few weeks.

Addition (29-07-2022):

As @bluto32 rightfully noticed. The root cause of this issue isn't fixed yet. I've changed encryption from AES to ZIPCrypto in order to prevent the issue from occurring. I hope to change back to AES-encryption once I've been able to mitigate the root cause.