aacs.c 32.1 KB
Newer Older
1 2
/*
 * This file is part of libaacs
3
 * Copyright (C) 2009-2010  Obliter0n
npzacs's avatar
npzacs committed
4
 * Copyright (C) 2009-2010  npzacs
5
 *
gates's avatar
gates committed
6 7 8 9
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
10
 *
gates's avatar
gates committed
11
 * This library is distributed in the hope that it will be useful,
12
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
gates's avatar
gates committed
13 14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
15
 *
gates's avatar
gates committed
16 17 18
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library. If not, see
 * <http://www.gnu.org/licenses/>.
19 20
 */

npzacs's avatar
npzacs committed
21 22 23 24
#if HAVE_CONFIG_H
#include "config.h"
#endif

npzacs's avatar
npzacs committed
25 26
#include <util/attributes.h>

npzacs's avatar
npzacs committed
27
#include "aacs-version.h"
cRTrn13's avatar
cRTrn13 committed
28
#include "aacs.h"
29
#include "crypto.h"
cRTrn13's avatar
cRTrn13 committed
30
#include "mmc.h"
31
#include "mkb.h"
gates's avatar
gates committed
32
#include "file/file.h"
gates's avatar
gates committed
33
#include "file/keydbcfg.h"
34 35
#include "util/macro.h"
#include "util/logging.h"
36
#include "util/strutl.h"
cRTrn13's avatar
cRTrn13 committed
37

38
#include <inttypes.h>
39
#include <string.h>
40
#include <stdio.h>
npzacs's avatar
npzacs committed
41 42 43
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
#endif
44
#include <gcrypt.h>
45

npzacs's avatar
npzacs committed
46

npzacs's avatar
npzacs committed
47
struct aacs {
npzacs's avatar
npzacs committed
48 49 50 51 52
    /* current disc */
    char     *path;
    int       mkb_version;
    uint8_t   disc_id[20];

53 54
    /* VID is cached for BD-J */
    uint8_t   vid[16];
55 56
    /* PMSN is cached for BD-J */
    uint8_t   pmsn[16];
npzacs's avatar
npzacs committed
57 58 59 60

    /* unit key for each CPS unit */
    uint32_t  num_uks;
    uint8_t  *uks;
npzacs's avatar
npzacs committed
61

npzacs's avatar
npzacs committed
62 63 64 65 66 67
    /* CPS unit of currently selected title */
    uint16_t  current_cps_unit;

    /* title -> CPS unit mappings */
    uint32_t  num_titles;
    uint16_t *cps_units;  /* [0] = first play ; [1] = top menu ; [2] = title 1 ... */
68 69 70 71

    /* bus encryption */
    int       bee;        /* bus encryption enabled flag in content certificate */
    int       bec;        /* bus encryption capable flag in drive certificate */
72
    uint8_t   read_data_key[16];
73 74 75 76

    /* AACS Online (BD-J) */
    uint8_t   device_nonce[16];
    uint8_t   device_binding_id[16];
npzacs's avatar
npzacs committed
77 78
};

79 80
static const uint8_t empty_key[] = "\x00\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00";
81 82
static const uint8_t aacs_iv[]   = "\x0b\xa0\xf8\xdd\xfe\xa6\x1f\xb3"
                                   "\xd8\xdf\x9f\x56\x6a\x05\x0f\x78";
83

84 85
static int _validate_pk(const uint8_t *pk,
                        const uint8_t *cvalue, const uint8_t *uv, const uint8_t *vd,
npzacs's avatar
npzacs committed
86
                        uint8_t *mk)
cRTrn13's avatar
cRTrn13 committed
87
{
88
    gcry_cipher_hd_t gcry_h;
npzacs's avatar
npzacs committed
89
    int a;
cRTrn13's avatar
cRTrn13 committed
90
    uint8_t dec_vd[16];
91
    char str[40];
cRTrn13's avatar
cRTrn13 committed
92

93
    DEBUG(DBG_AACS, "Validate processing key %s...\n", print_hex(str, pk, 16));
cRTrn13's avatar
cRTrn13 committed
94
    DEBUG(DBG_AACS, " Using:\n");
95 96 97
    DEBUG(DBG_AACS, "   UV: %s\n", print_hex(str, uv, 4));
    DEBUG(DBG_AACS, "   cvalue: %s\n", print_hex(str, cvalue, 16));
    DEBUG(DBG_AACS, "   Verification data: %s\n", print_hex(str, vd, 16));
98

99 100 101
    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0);
    gcry_cipher_setkey(gcry_h, pk, 16);
    gcry_cipher_decrypt(gcry_h, mk, 16, cvalue, 16);
102

cRTrn13's avatar
cRTrn13 committed
103 104 105 106
    for (a = 0; a < 4; a++) {
        mk[a + 12] ^= uv[a];
    }

107 108 109
    gcry_cipher_setkey(gcry_h, mk, 16);
    gcry_cipher_decrypt (gcry_h, dec_vd, 16, vd, 16);
    gcry_cipher_close(gcry_h);
110

cRTrn13's avatar
cRTrn13 committed
111
    if (!memcmp(dec_vd, "\x01\x23\x45\x67\x89\xAB\xCD\xEF", 8)) {
npzacs's avatar
npzacs committed
112
        DEBUG(DBG_AACS, "Processing key %s is valid!\n", print_hex(str, pk, 16));
npzacs's avatar
npzacs committed
113
        return AACS_SUCCESS;
cRTrn13's avatar
cRTrn13 committed
114 115
    }

npzacs's avatar
npzacs committed
116
    return AACS_ERROR_NO_PK;
cRTrn13's avatar
cRTrn13 committed
117
}
118

119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158
static int _rl_verify_signature(const uint8_t *rl, size_t size)
{
    int    entries = MKINT_BE32(rl + 12 + 8);
    size_t len     = 12 + 12 + 8 * entries; /* type_and_version_rec=12, rl_header=12, rl=entries*8 */

    if (len + 40 > size) {
        DEBUG(DBG_AACS, "revocation list size mismatch\n");
        return 0;
    }

    return crypto_aacs_verify_aacsla(rl + len, rl, len);
}

static void _update_drl(MKB *mkb)
{
    uint32_t version = mkb_version(mkb);
    uint32_t cache_version;

    if (!cache_get("drl", &cache_version, NULL, NULL) || cache_version < version) {
        size_t drl_len;
        const uint8_t *drl_rec = mkb_drive_revokation_entries(mkb, &drl_len);
        const uint8_t *v_rec   = mkb_type_and_version_record(mkb);

        if (drl_rec && v_rec) {
            drl_rec -= 4;
            drl_len += 4;

            uint8_t *data = malloc(12 + drl_len);
            memcpy(data,      v_rec,   12);
            memcpy(data + 12, drl_rec, drl_len);
            if (!_rl_verify_signature(data, drl_len + 12)) {
                DEBUG(DBG_AACS | DBG_CRIT, "invalid drive revocation list signature, not using it\n");
            } else {
                cache_save("drl", version, data, drl_len + 12);
            }
            X_FREE(data);
        }
    }
}

159
static int _calc_mk(AACS *aacs, uint8_t *mk, pk_list *pkl)
cRTrn13's avatar
keyfile  
cRTrn13 committed
160 161 162
{
    int a, num_uvs = 0;
    size_t len;
163
    uint8_t *buf = NULL;
cRTrn13's avatar
keyfile  
cRTrn13 committed
164
    MKB *mkb = NULL;
165
    const uint8_t *rec, *uvs;
cRTrn13's avatar
keyfile  
cRTrn13 committed
166

167
    /* Skip if retrieved from config file */
168 169 170
    if (memcmp(mk, empty_key, 16)) {
        return AACS_SUCCESS;
    }
171

cRTrn13's avatar
cRTrn13 committed
172 173
    DEBUG(DBG_AACS, "Calculate media key...\n");

npzacs's avatar
npzacs committed
174
    if ((mkb = mkb_open(aacs->path))) {
175
        DEBUG(DBG_AACS, "Get UVS...\n");
176
        _update_drl(mkb);
npzacs's avatar
npzacs committed
177
        aacs->mkb_version = mkb_version(mkb);
178 179 180 181 182 183 184 185
        uvs = mkb_subdiff_records(mkb, &len);
        rec = uvs;
        while (rec < uvs + len) {
            if (rec[0] & 0xc0)
                break;
            rec += 5;
            num_uvs++;
        }
cRTrn13's avatar
keyfile  
cRTrn13 committed
186

187 188
        DEBUG(DBG_AACS, "Get cvalues...\n");
        rec = mkb_cvalues(mkb, &len);
189 190

        for (; pkl && pkl->key; pkl = pkl->next) {
191
                uint8_t pk[16];
192
                hexstring_to_hex_array(pk, sizeof(pk), pkl->key);
193 194 195
                DEBUG(DBG_AACS, "Trying processing key...\n");

                for (a = 0; a < num_uvs; a++) {
196
                    if (AACS_SUCCESS == _validate_pk(pk, rec + a * 16, uvs + 1 + a * 5,
197
                      mkb_mk_dv(mkb), mk)) {
198 199
                        mkb_close(mkb);
                        X_FREE(buf);
200

201
                        char str[40];
202
                        DEBUG(DBG_AACS, "Media key: %s\n", print_hex(str, mk, 16));
npzacs's avatar
npzacs committed
203
                        return AACS_SUCCESS;
204 205
                    }
                }
cRTrn13's avatar
keyfile  
cRTrn13 committed
206 207
            }

208 209
        mkb_close(mkb);
        X_FREE(buf);
cRTrn13's avatar
keyfile  
cRTrn13 committed
210

npzacs's avatar
npzacs committed
211
        DEBUG(DBG_AACS | DBG_CRIT, "Error calculating media key. Missing right processing key ?\n");
npzacs's avatar
npzacs committed
212
        return AACS_ERROR_NO_PK;
npzacs's avatar
npzacs committed
213
    }
npzacs's avatar
npzacs committed
214

npzacs's avatar
npzacs committed
215
    DEBUG(DBG_AACS | DBG_CRIT, "Error opening %s/AACS/MKB_RO.inf\n", aacs->path);
npzacs's avatar
npzacs committed
216
    return AACS_ERROR_CORRUPTED_DISC;
cRTrn13's avatar
keyfile  
cRTrn13 committed
217
}
218

219 220 221 222
static MKB *_get_hrl_mkb(MMC *mmc)
{
    MKB     *mkb = NULL;
    uint8_t *data;
npzacs's avatar
npzacs committed
223
    int      mkb_size;
224

npzacs's avatar
npzacs committed
225
    data = mmc_read_mkb(mmc, 0, &mkb_size);
226 227

    /* check acquired hrl signature */
npzacs's avatar
npzacs committed
228 229 230
    if (data && mkb_size > 0) {
        if (_rl_verify_signature(data, mkb_size)) {
            mkb = mkb_init(data, mkb_size);
231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275
            DEBUG(DBG_AACS, "Partial hrl mkb read. Version: %d\n", mkb_version(mkb));
        } else {
            DEBUG(DBG_AACS | DBG_CRIT, "invalid host revocation list signature, not using it\n");
            X_FREE(data);
        }
    }

    if (mkb) {
        /* use latest version, keep cache up-to-date */
        uint32_t size;
        size = mkb_data_size(mkb);
        data = cache_get_or_update("hrl", mkb_data(mkb), &size, mkb_version(mkb));

        if (!_rl_verify_signature(data, size)) {
            DEBUG(DBG_AACS | DBG_CRIT, "invalid cached revocation list signature, replacing it\n");
            cache_save("hrl", mkb_version(mkb), mkb_data(mkb), mkb_data_size(mkb));
            X_FREE(data);
        } else {
            /* use cached version */
            mkb_close(mkb);
            mkb = mkb_init(data, size);
        }

    } else {
        /* use cached version */
        uint32_t size;
        data = cache_get_or_update("hrl", NULL, &size, 0);
        if (data && size > 0) {
            if (!_rl_verify_signature(data, size)) {
                mkb = mkb_init(data, size);
            } else {
                DEBUG(DBG_AACS | DBG_CRIT, "invalid cached revocation list signature, deleting cache\n");
                cache_remove("hrl");
            }
        }
    }


    if (mkb) {
        DEBUG(DBG_AACS, "Using hrl version %d\n", mkb_version(mkb));
    }

    return mkb;
}

Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
276
static int _read_vid(AACS *aacs, cert_list *hcl)
cRTrn13's avatar
openssl  
cRTrn13 committed
277
{
278
    /* Use VID given in config file if available */
Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
279
    if (memcmp(aacs->vid, empty_key, 16)) {
npzacs's avatar
npzacs committed
280
        return AACS_SUCCESS;
281 282
    }

cRTrn13's avatar
cRTrn13 committed
283
    MMC* mmc = NULL;
npzacs's avatar
npzacs committed
284
    if (!(mmc = mmc_open(aacs->path))) {
npzacs's avatar
npzacs committed
285
        return AACS_ERROR_MMC_OPEN;
286 287
    }

npzacs's avatar
npzacs committed
288 289
    int error_code = AACS_ERROR_NO_CERT;

290
    MKB *hrl_mkb = _get_hrl_mkb(mmc);
291
    const uint8_t *drive_cert = mmc_get_drive_cert(mmc);
292

293
    for (;hcl && hcl->host_priv_key && hcl->host_cert; hcl = hcl->next) {
294 295 296

        char tmp_str[2*92+1];
        uint8_t priv_key[20], cert[92];
297 298
        hexstring_to_hex_array(priv_key, sizeof(priv_key), hcl->host_priv_key);
        hexstring_to_hex_array(cert,     sizeof(cert),     hcl->host_cert);
299 300

        if (!crypto_aacs_verify_host_cert(cert)) {
npzacs's avatar
npzacs committed
301 302 303 304
            DEBUG(DBG_AACS, "Not using invalid host certificate %s.\n",
                  print_hex(tmp_str, cert, 92));
            continue;
        }
305

306
        if (mkb_host_cert_is_revoked(hrl_mkb, cert + 4) > 0) {
307 308 309 310 311 312
            DEBUG(DBG_AACS | DBG_CRIT, "Host certificate %s has been revoked.\n",
                  print_hex(tmp_str, cert + 4, 6));
            error_code = AACS_ERROR_CERT_REVOKED;
            //continue;
        }

313 314 315 316 317 318
        if (drive_cert && (drive_cert[1] & 0x01) && !(cert[1] & 0x01)) {
            DEBUG(DBG_AACS, "Certificate (id 0x%s) does not support bus encryption\n",
                  print_hex(tmp_str, cert + 4, 6));
            //continue;
        }

319 320 321
        DEBUG(DBG_AACS, "Trying host certificate (id 0x%s)...\n",
              print_hex(tmp_str, cert + 4, 6));

Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
322
        int mmc_result = mmc_read_vid(mmc, priv_key, cert, aacs->vid);
npzacs's avatar
npzacs committed
323 324
        switch (mmc_result) {
            case MMC_SUCCESS:
325
                mkb_close(hrl_mkb);
npzacs's avatar
npzacs committed
326
                mmc_close(mmc);
npzacs's avatar
npzacs committed
327 328
                /* cache vid */
                keycache_save("vid", aacs->disc_id, aacs->vid, 16);
npzacs's avatar
npzacs committed
329 330 331 332 333 334 335 336
                return AACS_SUCCESS;
            case MMC_ERROR_CERT_REVOKED:
                error_code = AACS_ERROR_CERT_REVOKED;
                break;
            case MMC_ERROR:
            default:
                error_code = AACS_ERROR_MMC_FAILURE;
                break;
337 338 339
        }
    }

340
    mkb_close(hrl_mkb);
341 342 343
    mmc_close(mmc);

    DEBUG(DBG_AACS, "Error reading VID!\n");
npzacs's avatar
npzacs committed
344
    return error_code;
345
}
cRTrn13's avatar
openssl  
cRTrn13 committed
346

347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393
static int _read_read_data_key(AACS *aacs, cert_list *hcl)
{
    MMC* mmc = NULL;
    if (!(mmc = mmc_open(aacs->path))) {
        return AACS_ERROR_MMC_OPEN;
    }

    int error_code = AACS_ERROR_NO_CERT;

    for (;hcl && hcl->host_priv_key && hcl->host_cert; hcl = hcl->next) {

        char tmp_str[2*92+1];
        uint8_t priv_key[20], cert[92];
        hexstring_to_hex_array(priv_key, sizeof(priv_key), hcl->host_priv_key);
        hexstring_to_hex_array(cert,     sizeof(cert),     hcl->host_cert);

        if (!crypto_aacs_verify_host_cert(cert)) {
            DEBUG(DBG_AACS, "Not using invalid host certificate %s.\n",
                  print_hex(tmp_str, cert, 92));
            continue;
        }

        DEBUG(DBG_AACS, "Trying host certificate (id 0x%s)...\n",
              print_hex(tmp_str, cert + 4, 6));

        int mmc_result = mmc_read_data_keys(mmc, priv_key, cert, aacs->read_data_key, NULL);

        switch (mmc_result) {
            case MMC_SUCCESS:
                mmc_close(mmc);
                return AACS_SUCCESS;
            case MMC_ERROR_CERT_REVOKED:
                error_code = AACS_ERROR_CERT_REVOKED;
                break;
            case MMC_ERROR:
            default:
                error_code = AACS_ERROR_MMC_FAILURE;
                break;
        }
    }

    mmc_close(mmc);

    DEBUG(DBG_AACS, "Error reading read data key!\n");
    return error_code;
}

Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
394 395 396 397 398 399 400 401
static int _read_pmsn(AACS *aacs, cert_list *hcl)
{
    MMC* mmc = NULL;
    if (!(mmc = mmc_open(aacs->path))) {
        return AACS_ERROR_MMC_OPEN;
    }

    int error_code = AACS_ERROR_NO_CERT;
402
    const uint8_t *drive_cert = mmc_get_drive_cert(mmc);
Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
403 404 405 406 407 408 409 410 411 412 413 414 415 416

    for (;hcl && hcl->host_priv_key && hcl->host_cert; hcl = hcl->next) {

        char tmp_str[2*92+1];
        uint8_t priv_key[20], cert[92];
        hexstring_to_hex_array(priv_key, sizeof(priv_key), hcl->host_priv_key);
        hexstring_to_hex_array(cert,     sizeof(cert),     hcl->host_cert);

        if (!crypto_aacs_verify_host_cert(cert)) {
            DEBUG(DBG_AACS, "Not using invalid host certificate %s.\n",
                  print_hex(tmp_str, cert, 92));
            continue;
        }

417 418 419 420 421 422
        if (drive_cert && (drive_cert[1] & 0x01) && !(cert[1] & 0x01)) {
            DEBUG(DBG_AACS, "Certificate (id 0x%s) does not support bus encryption\n",
                  print_hex(tmp_str, cert + 4, 6));
            //continue;
        }

Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446
        DEBUG(DBG_AACS, "Trying host certificate (id 0x%s)...\n",
              print_hex(tmp_str, cert + 4, 6));

        int mmc_result = mmc_read_pmsn(mmc, priv_key, cert, aacs->pmsn);
        switch (mmc_result) {
            case MMC_SUCCESS:
                mmc_close(mmc);
                return AACS_SUCCESS;
            case MMC_ERROR_CERT_REVOKED:
                error_code = AACS_ERROR_CERT_REVOKED;
                break;
            case MMC_ERROR:
            default:
                error_code = AACS_ERROR_MMC_FAILURE;
                break;
        }
    }

    mmc_close(mmc);

    DEBUG(DBG_AACS, "Error reading PMSN!\n");
    return error_code;
}

447
static int _calc_vuk(AACS *aacs, uint8_t *mk, uint8_t *vuk,
npzacs's avatar
npzacs committed
448
                     pk_list *pkl, cert_list *host_cert_list)
449
{
npzacs's avatar
npzacs committed
450 451
    int error_code;

452
    /* Skip if retrieved from config file */
453
    if (memcmp(vuk, empty_key, 16)) {
npzacs's avatar
npzacs committed
454 455 456
        DEBUG(DBG_AACS, "Using VUK from config file\n");
        return AACS_SUCCESS;
    }
457

npzacs's avatar
npzacs committed
458
    /* get cached vuk */
459
    if (keycache_find("vuk", aacs->disc_id, vuk, 16)) {
npzacs's avatar
npzacs committed
460
        DEBUG(DBG_AACS, "Using cached VUK\n");
npzacs's avatar
npzacs committed
461
        return AACS_SUCCESS;
npzacs's avatar
npzacs committed
462 463
    }

464
    /* make sure we have media key */
npzacs's avatar
npzacs committed
465
    error_code = _calc_mk(aacs, mk, pkl);
npzacs's avatar
npzacs committed
466 467
    if (error_code != AACS_SUCCESS) {
        return error_code;
468 469
    }

npzacs's avatar
npzacs committed
470
    /* acquire VID */
Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
471
    error_code = _read_vid(aacs, host_cert_list);
npzacs's avatar
npzacs committed
472 473 474
    if (error_code != AACS_SUCCESS) {
        return error_code;
    }
475

npzacs's avatar
npzacs committed
476
    /* calculate VUK */
477

npzacs's avatar
npzacs committed
478
    crypto_aes128d(mk, aacs->vid, vuk);
479

npzacs's avatar
npzacs committed
480
    int a;
npzacs's avatar
npzacs committed
481
    for (a = 0; a < 16; a++) {
482
        vuk[a] ^= aacs->vid[a];
npzacs's avatar
npzacs committed
483
    }
484

npzacs's avatar
npzacs committed
485
    char str[40];
486
    DEBUG(DBG_AACS, "Volume unique key: %s\n", print_hex(str, vuk, 16));
487

npzacs's avatar
npzacs committed
488
    /* cache vuk */
489
    keycache_save("vuk", aacs->disc_id, vuk, 16);
npzacs's avatar
npzacs committed
490

npzacs's avatar
npzacs committed
491
    return AACS_SUCCESS;
cRTrn13's avatar
openssl  
cRTrn13 committed
492 493
}

494 495
static uint16_t _read_u16(AACS_FILE_H *fp)
{
npzacs's avatar
npzacs committed
496
  uint8_t data[2] = {0, 0};
497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542

  file_read(fp, data, sizeof(uint16_t));

  return MKINT_BE16(data);
}

static void _read_uks_map(AACS *aacs, AACS_FILE_H *fp)
{
    uint16_t first_play, top_menu;
    unsigned i;

    DEBUG(DBG_AACS, "Assigning CPS units to titles ...\n");

    X_FREE(aacs->cps_units);
    aacs->current_cps_unit = 0;

    file_seek(fp, 16 + 4, SEEK_SET);

    first_play = _read_u16(fp);
    top_menu   = _read_u16(fp);

    DEBUG(DBG_AACS, "Title FP : CPS unit %d\n", first_play);
    DEBUG(DBG_AACS, "Title TM : CPS unit %d\n", top_menu);

    aacs->num_titles   = _read_u16(fp);
    aacs->cps_units    = calloc(sizeof(uint16_t), aacs->num_titles + 2);
    aacs->cps_units[0] = first_play;
    aacs->cps_units[1] = top_menu;

    for (i = 2; i < aacs->num_titles + 2; i++) {
        _read_u16(fp); /* reserved */
        aacs->cps_units[i] = _read_u16(fp);
        DEBUG(DBG_AACS, "Title %02d : CPS unit %d\n", i - 1, aacs->cps_units[i]);
    }

    /* validate */
    for (i = 0; i < aacs->num_titles + 2; i++) {
        if (aacs->cps_units[i])
            aacs->cps_units[i]--; /* number [1...N] --> index [0...N-1] */
        if (aacs->cps_units[i] >= aacs->num_uks) {
            DEBUG(DBG_AACS, " *** Invalid CPS unit for title %d: %d !\n", (int) i - 1, aacs->cps_units[i]);
            aacs->cps_units[i] = 0;
        }
    }
}

npzacs's avatar
npzacs committed
543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558
static AACS_FILE_H *_open_unit_key_file(const char *path)
{
    AACS_FILE_H *fp;
    char        *f_name;

    f_name = str_printf("%s/AACS/Unit_Key_RO.inf", path);
    fp = file_open(f_name, "rb");

    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Error opening unit key file %s\n", f_name);
    }

    X_FREE(f_name);
    return fp;
}

559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574
static AACS_FILE_H *_open_content_certificate_file(const char *path)
{
    AACS_FILE_H *fp;
    char        *f_name;

    f_name = str_printf("%s/AACS/Content000.cer", path);
    fp = file_open(f_name, "rb");

    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Error opening content certificate file %s\n", f_name);
    }

    X_FREE(f_name);
    return fp;
}

npzacs's avatar
npzacs committed
575
/* Function that collects keys from keydb config entry */
576 577
static void _find_config_entry(AACS *aacs, title_entry_list *ce,
                               uint8_t *mk, uint8_t *vuk)
npzacs's avatar
npzacs committed
578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601
{
    uint8_t discid[20];
    char str[48];

    aacs->uks = NULL;
    aacs->num_uks = 0;

        while (ce && ce->entry.discid) {
            memset(discid, 0, sizeof(discid));
            hexstring_to_hex_array(discid, sizeof(discid),
                                   ce->entry.discid);
            if (!memcmp(aacs->disc_id, discid, 20)) {
                DEBUG(DBG_AACS, "Found config entry for discid %s\n",
                      ce->entry.discid);
                break;
            }

            ce = ce->next;
        }
        if (!ce) {
            return;
        }

        if (ce->entry.mek) {
602
            hexstring_to_hex_array(mk, 16, ce->entry.mek);
npzacs's avatar
npzacs committed
603 604

            DEBUG(DBG_AACS, "Found media key for %s: %s\n",
605
                  ce->entry.discid, print_hex(str, mk, 16));
npzacs's avatar
npzacs committed
606 607 608 609 610 611 612 613 614 615 616
        }

        if (ce->entry.vid) {
            hexstring_to_hex_array(aacs->vid, sizeof(aacs->vid),
                                    ce->entry.vid);

            DEBUG(DBG_AACS, "Found volume id for %s: %s\n",
                  ce->entry.discid, print_hex(str, aacs->vid, 16));
        }

        if (ce->entry.vuk) {
617
            hexstring_to_hex_array(vuk, 16, ce->entry.vuk);
npzacs's avatar
npzacs committed
618 619

            DEBUG(DBG_AACS, "Found volume unique key for %s: %s\n",
620
                  ce->entry.discid, print_hex(str, vuk, 16));
npzacs's avatar
npzacs committed
621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642
        }

        if (ce->entry.uk) {
            DEBUG(DBG_AACS, "Acquire CPS unit keys from keydb config file...\n");

            digit_key_pair_list *ukcursor = ce->entry.uk;
            while (ukcursor && ukcursor->key_pair.key) {
                aacs->num_uks++;

                aacs->uks = (uint8_t*)realloc(aacs->uks, 16 * aacs->num_uks);
                hexstring_to_hex_array(aacs->uks + (16 * (aacs->num_uks - 1)), 16,
                                      ukcursor->key_pair.key);

                DEBUG(DBG_AACS, "Unit key %d from keydb entry: %s\n",
                      aacs->num_uks,
                      print_hex(str, aacs->uks + (16 * (aacs->num_uks - 1)), 16));

                ukcursor = ukcursor->next;
            }
        }
}

643
static int _calc_uks(AACS *aacs, config_file *cf)
cRTrn13's avatar
openssl  
cRTrn13 committed
644
{
645
    AACS_FILE_H *fp = NULL;
646
    uint8_t  buf[16];
647
    uint64_t f_pos;
648
    unsigned int i;
npzacs's avatar
npzacs committed
649
    int error_code;
cRTrn13's avatar
openssl  
cRTrn13 committed
650

651 652 653 654 655
    uint8_t mk[16] = {0}, vuk[16] = {0};

    DEBUG(DBG_AACS, "Searching for keydb config entry...\n");
    _find_config_entry(aacs, cf->list, mk, vuk);

656
    /* Skip if retrieved from config file */
657
    if (aacs->uks) {
npzacs's avatar
npzacs committed
658
        return AACS_SUCCESS;
659
    }
660

661
    /* Make sure we have VUK */
662
    error_code = _calc_vuk(aacs, mk, vuk, cf->pkl, cf->host_cert_list);
npzacs's avatar
npzacs committed
663 664
    if (error_code != AACS_SUCCESS) {
        return error_code;
665
    }
666

667 668
    DEBUG(DBG_AACS, "Calculate CPS unit keys...\n");

npzacs's avatar
npzacs committed
669
    fp = _open_unit_key_file(aacs->path);
npzacs's avatar
npzacs committed
670 671 672
    if (!fp) {
        return AACS_ERROR_CORRUPTED_DISC;
    }
cRTrn13's avatar
openssl  
cRTrn13 committed
673

npzacs's avatar
npzacs committed
674 675
    if ((file_read(fp, buf, 4)) == 4) {
        f_pos = MKINT_BE32(buf);
npzacs's avatar
npzacs committed
676

npzacs's avatar
npzacs committed
677 678 679 680
        // Read number of keys
        file_seek(fp, f_pos, SEEK_SET);
        if ((file_read(fp, buf, 2)) == 2) {
            aacs->num_uks = MKINT_BE16(buf);
npzacs's avatar
npzacs committed
681

npzacs's avatar
npzacs committed
682 683
            X_FREE(aacs->uks);
            aacs->uks = calloc(aacs->num_uks, 16);
npzacs's avatar
npzacs committed
684

npzacs's avatar
npzacs committed
685
            DEBUG(DBG_AACS, "%d CPS unit keys\n", aacs->num_uks);
npzacs's avatar
npzacs committed
686

npzacs's avatar
npzacs committed
687 688 689 690 691
        } else {
            aacs->num_uks = 0;
            DEBUG(DBG_AACS | DBG_CRIT, "Error reading number of unit keys\n");
            error_code = AACS_ERROR_CORRUPTED_DISC;
        }
cRTrn13's avatar
openssl  
cRTrn13 committed
692

npzacs's avatar
npzacs committed
693 694 695
        // Read keys
        for (i = 0; i < aacs->num_uks; i++) {
            f_pos += 48;
cRTrn13's avatar
openssl  
cRTrn13 committed
696

npzacs's avatar
npzacs committed
697 698 699 700 701 702
            file_seek(fp, f_pos, SEEK_SET);
            if ((file_read(fp, buf, 16)) != 16) {
                DEBUG(DBG_AACS, "Unit key %d: read error\n", i);
                aacs->num_uks = i;
                error_code = AACS_ERROR_CORRUPTED_DISC;
                break;
npzacs's avatar
npzacs committed
703
            }
cRTrn13's avatar
openssl  
cRTrn13 committed
704

npzacs's avatar
npzacs committed
705
            crypto_aes128d(vuk, buf, aacs->uks + 16*i);
cRTrn13's avatar
openssl  
cRTrn13 committed
706

npzacs's avatar
npzacs committed
707 708 709
            char str[40];
            DEBUG(DBG_AACS, "Unit key %d: %s\n", i,
                  print_hex(str, aacs->uks + 16*i, 16));
710 711
        }

npzacs's avatar
npzacs committed
712 713 714
        /* failing next is not fatal, it just slows down things */
        _read_uks_map(aacs, fp);

715
        file_close(fp);
cRTrn13's avatar
openssl  
cRTrn13 committed
716

npzacs's avatar
npzacs committed
717 718 719 720 721 722 723
        return error_code;
    }

    file_close(fp);

    DEBUG(DBG_AACS | DBG_CRIT, "Error reading unit keys\n");
    return AACS_ERROR_CORRUPTED_DISC;
cRTrn13's avatar
openssl  
cRTrn13 committed
724 725
}

726 727
static int _calc_title_hash(const char *path, uint8_t *title_hash)
{
728
    AACS_FILE_H *fp = NULL;
729 730 731
    uint8_t *ukf_buf;
    char     str[48];
    int64_t  f_size;
npzacs's avatar
npzacs committed
732
    int      result = AACS_SUCCESS;
733

npzacs's avatar
npzacs committed
734 735 736
    fp = _open_unit_key_file(path);
    if (!fp) {
        return AACS_ERROR_CORRUPTED_DISC;
737 738 739 740 741 742 743 744
    }

    file_seek(fp, 0, SEEK_END);
    f_size = file_tell(fp);
    file_seek(fp, 0, SEEK_SET);

    ukf_buf = malloc(f_size);

npzacs's avatar
npzacs committed
745 746 747
    if ((file_read(fp, ukf_buf, f_size)) == f_size) {
        crypto_aacs_title_hash(ukf_buf, f_size, title_hash);
        DEBUG(DBG_AACS, "Disc ID: %s\n", print_hex(str, title_hash, 20));
cRTrn13's avatar
cRTrn13 committed
748

npzacs's avatar
npzacs committed
749 750 751
    } else {
        result = AACS_ERROR_CORRUPTED_DISC;
        DEBUG(DBG_AACS | DBG_CRIT, "Failed to read %"PRIu64" bytes from unit key file %s/AACS/Unit_Key_RO.inf", f_size, path);
752 753 754 755 756
    }

    file_close(fp);
    X_FREE(ukf_buf);

npzacs's avatar
npzacs committed
757
    return result;
758
}
cRTrn13's avatar
cRTrn13 committed
759

760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803
static int _get_bus_encryption_enabled(const char *path)
{
    AACS_FILE_H *fp = NULL;
    uint8_t buf[2];
    int bee = 0;

    fp = _open_content_certificate_file(path);
    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Unable to open content certificate\n");
        return 0;
    }

    if (file_read(fp, buf, 2) == 2) {
        bee = (buf[1] & 0x80) >> 7;
        DEBUG(DBG_AACS, "Bus Encryption Enabled flag in content certificate: %d\n", bee);
    } else {
        DEBUG(DBG_AACS | DBG_CRIT, "Failed to read Bus Encryption Enabled flag from content certificate file\n");
    }

    file_close(fp);
    return bee;
}

static int _get_bus_encryption_capable(const char *path)
{
    MMC* mmc = NULL;
    uint8_t drive_cert[92];
    int bec = 0;

    if (!(mmc = mmc_open(path))) {
        return 0;
    }

    if (mmc_read_drive_cert(mmc, drive_cert) == MMC_SUCCESS) {
        bec = drive_cert[1] & 1;
        DEBUG(DBG_AACS, "Bus Encryption Capable flag in drive certificate: %d\n", bec);
    } else {
        DEBUG(DBG_AACS | DBG_CRIT, "Unable to read drive certificate\n");
    }

    mmc_close(mmc);
    return bec;
}

npzacs's avatar
npzacs committed
804
static int _verify_ts(uint8_t *buf, size_t size)
805
{
806 807
    uint8_t *ptr;

cRTrn13's avatar
cRTrn13 committed
808 809 810 811 812 813 814
    if (size < 192) {
        return 1;
    }

    for (ptr=buf; ptr < buf+192; ptr++) {
        int failed = 0;
        if (*ptr == 0x47) {
815 816 817 818
            uint8_t *ptr2;

            for (ptr2=ptr; ptr2 < buf + size; ptr2 += 192) {
                if (*ptr2 != 0x47) {
cRTrn13's avatar
cRTrn13 committed
819 820
                    failed = 1;
                    break;
821 822
                }
            }
cRTrn13's avatar
cRTrn13 committed
823 824 825
            if (!failed) {
                return 1;
            }
826 827 828 829
        }
        ptr++;
    }

cRTrn13's avatar
cRTrn13 committed
830
    DEBUG(DBG_AACS, "Failed to verify TS!\n");
831

cRTrn13's avatar
cRTrn13 committed
832
    return 0;
833 834
}

835
#define ALIGNED_UNIT_LEN 6144
836
static int _decrypt_unit(AACS *aacs, uint8_t *out_buf, const uint8_t *in_buf, uint32_t curr_uk)
cRTrn13's avatar
cRTrn13 committed
837
{
838 839
    gcry_cipher_hd_t gcry_h;
    int a;
840
    uint8_t key[16];
841 842 843

    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0);
    gcry_cipher_setkey(gcry_h, aacs->uks + curr_uk * 16, 16);
844
    gcry_cipher_encrypt(gcry_h, key, 16, in_buf, 16);
845
    gcry_cipher_close(gcry_h);
cRTrn13's avatar
cRTrn13 committed
846

cRTrn13's avatar
cRTrn13 committed
847
    for (a = 0; a < 16; a++) {
848
        key[a] ^= in_buf[a];
cRTrn13's avatar
cRTrn13 committed
849 850
    }

851 852
    memcpy(out_buf, in_buf, 16); /* first 16 bytes are plain */

853 854
    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
    gcry_cipher_setkey(gcry_h, key, 16);
855
    gcry_cipher_setiv(gcry_h, aacs_iv, 16);
856
    gcry_cipher_decrypt(gcry_h, out_buf + 16, ALIGNED_UNIT_LEN - 16, in_buf + 16, ALIGNED_UNIT_LEN - 16);
857
    gcry_cipher_close(gcry_h);
cRTrn13's avatar
cRTrn13 committed
858

859
    if (_verify_ts(out_buf, ALIGNED_UNIT_LEN)) {
cRTrn13's avatar
cRTrn13 committed
860 861 862
        return 1;
    }

863
    if (curr_uk < aacs->num_uks - 1) {
864
        return _decrypt_unit(aacs, out_buf, in_buf, curr_uk++);
npzacs's avatar
npzacs committed
865 866
    }

cRTrn13's avatar
cRTrn13 committed
867 868 869
    return 0;
}

870
#define SECTOR_LEN 2048
871
static void _decrypt_bus(AACS *aacs, uint8_t *buf)
872 873 874 875 876
{
    gcry_cipher_hd_t gcry_h;

    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
    gcry_cipher_setkey(gcry_h, aacs->read_data_key, 16);
877
    gcry_cipher_setiv(gcry_h, aacs_iv, 16);
878
    gcry_cipher_decrypt(gcry_h, buf + 16, SECTOR_LEN - 16, NULL, 0);
879 880 881
    gcry_cipher_close(gcry_h);
}

npzacs's avatar
npzacs committed
882 883
void aacs_get_version(int *major, int *minor, int *micro)
{
npzacs's avatar
npzacs committed
884 885 886
    *major = AACS_VERSION_MAJOR;
    *minor = AACS_VERSION_MINOR;
    *micro = AACS_VERSION_MICRO;
npzacs's avatar
npzacs committed
887 888
}

npzacs's avatar
npzacs committed
889
/* aacs_open2() wrapper for backwards compability */
cRTrn13's avatar
cRTrn13 committed
890
AACS *aacs_open(const char *path, const char *configfile_path)
npzacs's avatar
npzacs committed
891 892 893 894 895 896 897 898 899 900 901 902 903 904
{
    int error_code;
    AACS *aacs;

    aacs = aacs_open2(path, configfile_path, &error_code);
    if (error_code == AACS_SUCCESS) {
        return aacs;
    }

    aacs_close(aacs);
    return NULL;
}

AACS *aacs_open2(const char *path, const char *configfile_path, int *error_code)
cRTrn13's avatar
cRTrn13 committed
905
{
npzacs's avatar
npzacs committed
906
    DEBUG(DBG_AACS, "libaacs "AACS_VERSION_STRING" [%zd]\n", sizeof(AACS));
cRTrn13's avatar
cRTrn13 committed
907

908
    DEBUG(DBG_AACS, "Initializing libgcrypt...\n");
npzacs's avatar
npzacs committed
909
    if (!crypto_init()) {
npzacs's avatar
npzacs committed
910
        DEBUG(DBG_AACS | DBG_CRIT, "Failed to initialize libgcrypt\n");
911 912
        return NULL;
    }
913

cRTrn13's avatar
cRTrn13 committed
914
    AACS *aacs = calloc(1, sizeof(AACS));
915
    config_file *cf;
916

npzacs's avatar
npzacs committed
917 918
    aacs->path = str_printf("%s", path);

npzacs's avatar
npzacs committed
919 920 921 922 923
    *error_code = _calc_title_hash(path, aacs->disc_id);
    if (*error_code != AACS_SUCCESS) {
        aacs_close(aacs);
        return NULL;
    }
npzacs's avatar
npzacs committed
924

925 926 927
    cf = keydbcfg_config_load(configfile_path);
    if (!cf) {
        *error_code = AACS_ERROR_NO_CONFIG;
npzacs's avatar
npzacs committed
928
        return aacs;
929 930
    }

npzacs's avatar
npzacs committed
931
    DEBUG(DBG_AACS, "Starting AACS waterfall...\n");
932 933 934 935
    *error_code = _calc_uks(aacs, cf);
    if (*error_code != AACS_SUCCESS) {
        DEBUG(DBG_AACS, "Failed to initialize AACS!\n");
    }
cRTrn13's avatar
cRTrn13 committed
936

937 938 939
    aacs->bee = _get_bus_encryption_enabled(path);
    aacs->bec = _get_bus_encryption_capable(path);

npzacs's avatar
npzacs committed
940
    if (*error_code == AACS_SUCCESS && aacs->bee && aacs->bec) {
941 942 943 944
        *error_code = _read_read_data_key(aacs, cf->host_cert_list);
        if (*error_code != AACS_SUCCESS) {
            DEBUG(DBG_AACS | DBG_CRIT, "Unable to initialize bus encryption required by drive and disc\n");
        }
npzacs's avatar
npzacs committed
945
    }
946

947 948 949 950
    keydbcfg_config_file_close(cf);

    DEBUG(DBG_AACS, "AACS initialized!\n");

npzacs's avatar
npzacs committed
951
    return aacs;
cRTrn13's avatar
cRTrn13 committed
952 953
}

cRTrn13's avatar
cRTrn13 committed
954
void aacs_close(AACS *aacs)
cRTrn13's avatar
cRTrn13 committed
955
{
npzacs's avatar
npzacs committed
956 957 958
    if (!aacs)
        return;

npzacs's avatar
npzacs committed
959 960 961 962