aacs.c 29.4 KB
Newer Older
1 2
/*
 * This file is part of libaacs
3
 * Copyright (C) 2009-2010  Obliter0n
npzacs's avatar
npzacs committed
4
 * Copyright (C) 2009-2010  npzacs
5
 *
gates's avatar
gates committed
6 7 8 9
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
10
 *
gates's avatar
gates committed
11
 * This library is distributed in the hope that it will be useful,
12
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
gates's avatar
gates committed
13 14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
15
 *
gates's avatar
gates committed
16 17 18
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library. If not, see
 * <http://www.gnu.org/licenses/>.
19 20
 */

npzacs's avatar
npzacs committed
21 22 23 24
#if HAVE_CONFIG_H
#include "config.h"
#endif

npzacs's avatar
npzacs committed
25 26
#include <util/attributes.h>

npzacs's avatar
npzacs committed
27
#include "aacs-version.h"
cRTrn13's avatar
cRTrn13 committed
28
#include "aacs.h"
29
#include "crypto.h"
cRTrn13's avatar
cRTrn13 committed
30
#include "mmc.h"
31
#include "mkb.h"
gates's avatar
gates committed
32
#include "file/file.h"
gates's avatar
gates committed
33
#include "file/keydbcfg.h"
34 35
#include "util/macro.h"
#include "util/logging.h"
36
#include "util/strutl.h"
cRTrn13's avatar
cRTrn13 committed
37

38
#include <inttypes.h>
39
#include <string.h>
40
#include <stdio.h>
npzacs's avatar
npzacs committed
41 42 43
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
#endif
44
#include <gcrypt.h>
45

npzacs's avatar
npzacs committed
46

npzacs's avatar
npzacs committed
47
struct aacs {
npzacs's avatar
npzacs committed
48 49 50 51 52
    /* current disc */
    char     *path;
    int       mkb_version;
    uint8_t   disc_id[20];

53 54
    /* VID is cached for BD-J */
    uint8_t   vid[16];
55 56
    /* PMSN is cached for BD-J */
    uint8_t   pmsn[16];
npzacs's avatar
npzacs committed
57 58 59 60

    /* unit key for each CPS unit */
    uint32_t  num_uks;
    uint8_t  *uks;
npzacs's avatar
npzacs committed
61

npzacs's avatar
npzacs committed
62 63 64 65 66 67
    /* CPS unit of currently selected title */
    uint16_t  current_cps_unit;

    /* title -> CPS unit mappings */
    uint32_t  num_titles;
    uint16_t *cps_units;  /* [0] = first play ; [1] = top menu ; [2] = title 1 ... */
68 69 70 71

    /* bus encryption */
    int       bee;        /* bus encryption enabled flag in content certificate */
    int       bec;        /* bus encryption capable flag in drive certificate */
72
    uint8_t   read_data_key[16];
npzacs's avatar
npzacs committed
73 74
};

75 76
static const uint8_t empty_key[] = "\x00\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00";
77 78
static const uint8_t aacs_iv[]   = "\x0b\xa0\xf8\xdd\xfe\xa6\x1f\xb3"
                                   "\xd8\xdf\x9f\x56\x6a\x05\x0f\x78";
79

80 81
static int _validate_pk(const uint8_t *pk,
                        const uint8_t *cvalue, const uint8_t *uv, const uint8_t *vd,
npzacs's avatar
npzacs committed
82
                        uint8_t *mk)
cRTrn13's avatar
cRTrn13 committed
83
{
84
    gcry_cipher_hd_t gcry_h;
npzacs's avatar
npzacs committed
85
    int a;
cRTrn13's avatar
cRTrn13 committed
86
    uint8_t dec_vd[16];
87
    char str[40];
cRTrn13's avatar
cRTrn13 committed
88

89
    DEBUG(DBG_AACS, "Validate processing key %s...\n", print_hex(str, pk, 16));
cRTrn13's avatar
cRTrn13 committed
90
    DEBUG(DBG_AACS, " Using:\n");
91 92 93
    DEBUG(DBG_AACS, "   UV: %s\n", print_hex(str, uv, 4));
    DEBUG(DBG_AACS, "   cvalue: %s\n", print_hex(str, cvalue, 16));
    DEBUG(DBG_AACS, "   Verification data: %s\n", print_hex(str, vd, 16));
94

95 96 97
    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0);
    gcry_cipher_setkey(gcry_h, pk, 16);
    gcry_cipher_decrypt(gcry_h, mk, 16, cvalue, 16);
98

cRTrn13's avatar
cRTrn13 committed
99 100 101 102
    for (a = 0; a < 4; a++) {
        mk[a + 12] ^= uv[a];
    }

103 104 105
    gcry_cipher_setkey(gcry_h, mk, 16);
    gcry_cipher_decrypt (gcry_h, dec_vd, 16, vd, 16);
    gcry_cipher_close(gcry_h);
106

cRTrn13's avatar
cRTrn13 committed
107
    if (!memcmp(dec_vd, "\x01\x23\x45\x67\x89\xAB\xCD\xEF", 8)) {
npzacs's avatar
npzacs committed
108
        DEBUG(DBG_AACS, "Processing key %s is valid!\n", print_hex(str, pk, 16));
npzacs's avatar
npzacs committed
109
        return AACS_SUCCESS;
cRTrn13's avatar
cRTrn13 committed
110 111
    }

npzacs's avatar
npzacs committed
112
    return AACS_ERROR_NO_PK;
cRTrn13's avatar
cRTrn13 committed
113
}
114

115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154
static int _rl_verify_signature(const uint8_t *rl, size_t size)
{
    int    entries = MKINT_BE32(rl + 12 + 8);
    size_t len     = 12 + 12 + 8 * entries; /* type_and_version_rec=12, rl_header=12, rl=entries*8 */

    if (len + 40 > size) {
        DEBUG(DBG_AACS, "revocation list size mismatch\n");
        return 0;
    }

    return crypto_aacs_verify_aacsla(rl + len, rl, len);
}

static void _update_drl(MKB *mkb)
{
    uint32_t version = mkb_version(mkb);
    uint32_t cache_version;

    if (!cache_get("drl", &cache_version, NULL, NULL) || cache_version < version) {
        size_t drl_len;
        const uint8_t *drl_rec = mkb_drive_revokation_entries(mkb, &drl_len);
        const uint8_t *v_rec   = mkb_type_and_version_record(mkb);

        if (drl_rec && v_rec) {
            drl_rec -= 4;
            drl_len += 4;

            uint8_t *data = malloc(12 + drl_len);
            memcpy(data,      v_rec,   12);
            memcpy(data + 12, drl_rec, drl_len);
            if (!_rl_verify_signature(data, drl_len + 12)) {
                DEBUG(DBG_AACS | DBG_CRIT, "invalid drive revocation list signature, not using it\n");
            } else {
                cache_save("drl", version, data, drl_len + 12);
            }
            X_FREE(data);
        }
    }
}

155
static int _calc_mk(AACS *aacs, uint8_t *mk, pk_list *pkl)
cRTrn13's avatar
keyfile  
cRTrn13 committed
156 157 158
{
    int a, num_uvs = 0;
    size_t len;
159
    uint8_t *buf = NULL;
cRTrn13's avatar
keyfile  
cRTrn13 committed
160
    MKB *mkb = NULL;
161
    const uint8_t *rec, *uvs;
cRTrn13's avatar
keyfile  
cRTrn13 committed
162

163
    /* Skip if retrieved from config file */
164 165 166
    if (memcmp(mk, empty_key, 16)) {
        return AACS_SUCCESS;
    }
167

cRTrn13's avatar
cRTrn13 committed
168 169
    DEBUG(DBG_AACS, "Calculate media key...\n");

npzacs's avatar
npzacs committed
170
    if ((mkb = mkb_open(aacs->path))) {
171
        DEBUG(DBG_AACS, "Get UVS...\n");
172
        _update_drl(mkb);
npzacs's avatar
npzacs committed
173
        aacs->mkb_version = mkb_version(mkb);
174 175 176 177 178 179 180 181
        uvs = mkb_subdiff_records(mkb, &len);
        rec = uvs;
        while (rec < uvs + len) {
            if (rec[0] & 0xc0)
                break;
            rec += 5;
            num_uvs++;
        }
cRTrn13's avatar
keyfile  
cRTrn13 committed
182

183 184
        DEBUG(DBG_AACS, "Get cvalues...\n");
        rec = mkb_cvalues(mkb, &len);
185 186

        for (; pkl && pkl->key; pkl = pkl->next) {
187
                uint8_t pk[16];
188
                hexstring_to_hex_array(pk, sizeof(pk), pkl->key);
189 190 191
                DEBUG(DBG_AACS, "Trying processing key...\n");

                for (a = 0; a < num_uvs; a++) {
192
                    if (AACS_SUCCESS == _validate_pk(pk, rec + a * 16, uvs + 1 + a * 5,
193
                      mkb_mk_dv(mkb), mk)) {
194 195
                        mkb_close(mkb);
                        X_FREE(buf);
196

197
                        char str[40];
198
                        DEBUG(DBG_AACS, "Media key: %s\n", print_hex(str, mk, 16));
npzacs's avatar
npzacs committed
199
                        return AACS_SUCCESS;
200 201
                    }
                }
cRTrn13's avatar
keyfile  
cRTrn13 committed
202 203
            }

204 205
        mkb_close(mkb);
        X_FREE(buf);
cRTrn13's avatar
keyfile  
cRTrn13 committed
206

npzacs's avatar
npzacs committed
207
        DEBUG(DBG_AACS | DBG_CRIT, "Error calculating media key. Missing right processing key ?\n");
npzacs's avatar
npzacs committed
208
        return AACS_ERROR_NO_PK;
npzacs's avatar
npzacs committed
209
    }
npzacs's avatar
npzacs committed
210

npzacs's avatar
npzacs committed
211
    DEBUG(DBG_AACS | DBG_CRIT, "Error opening %s/AACS/MKB_RO.inf\n", aacs->path);
npzacs's avatar
npzacs committed
212
    return AACS_ERROR_CORRUPTED_DISC;
cRTrn13's avatar
keyfile  
cRTrn13 committed
213
}
214

215 216 217 218
static MKB *_get_hrl_mkb(MMC *mmc)
{
    MKB     *mkb = NULL;
    uint8_t *data;
npzacs's avatar
npzacs committed
219
    int      mkb_size;
220

npzacs's avatar
npzacs committed
221
    data = mmc_read_mkb(mmc, 0, &mkb_size);
222 223

    /* check acquired hrl signature */
npzacs's avatar
npzacs committed
224 225 226
    if (data && mkb_size > 0) {
        if (_rl_verify_signature(data, mkb_size)) {
            mkb = mkb_init(data, mkb_size);
227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271
            DEBUG(DBG_AACS, "Partial hrl mkb read. Version: %d\n", mkb_version(mkb));
        } else {
            DEBUG(DBG_AACS | DBG_CRIT, "invalid host revocation list signature, not using it\n");
            X_FREE(data);
        }
    }

    if (mkb) {
        /* use latest version, keep cache up-to-date */
        uint32_t size;
        size = mkb_data_size(mkb);
        data = cache_get_or_update("hrl", mkb_data(mkb), &size, mkb_version(mkb));

        if (!_rl_verify_signature(data, size)) {
            DEBUG(DBG_AACS | DBG_CRIT, "invalid cached revocation list signature, replacing it\n");
            cache_save("hrl", mkb_version(mkb), mkb_data(mkb), mkb_data_size(mkb));
            X_FREE(data);
        } else {
            /* use cached version */
            mkb_close(mkb);
            mkb = mkb_init(data, size);
        }

    } else {
        /* use cached version */
        uint32_t size;
        data = cache_get_or_update("hrl", NULL, &size, 0);
        if (data && size > 0) {
            if (!_rl_verify_signature(data, size)) {
                mkb = mkb_init(data, size);
            } else {
                DEBUG(DBG_AACS | DBG_CRIT, "invalid cached revocation list signature, deleting cache\n");
                cache_remove("hrl");
            }
        }
    }


    if (mkb) {
        DEBUG(DBG_AACS, "Using hrl version %d\n", mkb_version(mkb));
    }

    return mkb;
}

272
static int _read_vid(AACS *aacs, cert_list *hcl, int force_mmc)
cRTrn13's avatar
openssl  
cRTrn13 committed
273
{
274
    /* Use VID given in config file if available */
275
    if (!force_mmc && memcmp(aacs->vid, empty_key, 16)) {
npzacs's avatar
npzacs committed
276
        return AACS_SUCCESS;
277 278
    }

cRTrn13's avatar
cRTrn13 committed
279
    MMC* mmc = NULL;
npzacs's avatar
npzacs committed
280
    if (!(mmc = mmc_open(aacs->path))) {
npzacs's avatar
npzacs committed
281
        return AACS_ERROR_MMC_OPEN;
282 283
    }

npzacs's avatar
npzacs committed
284 285
    int error_code = AACS_ERROR_NO_CERT;

286 287
    MKB *hrl_mkb = _get_hrl_mkb(mmc);

288
    for (;hcl && hcl->host_priv_key && hcl->host_cert; hcl = hcl->next) {
289 290 291

        char tmp_str[2*92+1];
        uint8_t priv_key[20], cert[92];
292 293
        hexstring_to_hex_array(priv_key, sizeof(priv_key), hcl->host_priv_key);
        hexstring_to_hex_array(cert,     sizeof(cert),     hcl->host_cert);
294 295

        if (!crypto_aacs_verify_host_cert(cert)) {
npzacs's avatar
npzacs committed
296 297 298 299
            DEBUG(DBG_AACS, "Not using invalid host certificate %s.\n",
                  print_hex(tmp_str, cert, 92));
            continue;
        }
300

301 302 303 304 305 306 307
        if (mkb_host_cert_is_revoked(hrl_mkb, cert + 4)) {
            DEBUG(DBG_AACS | DBG_CRIT, "Host certificate %s has been revoked.\n",
                  print_hex(tmp_str, cert + 4, 6));
            error_code = AACS_ERROR_CERT_REVOKED;
            //continue;
        }

308 309 310
        DEBUG(DBG_AACS, "Trying host certificate (id 0x%s)...\n",
              print_hex(tmp_str, cert + 4, 6));

311
        int mmc_result = mmc_read_vid(mmc, priv_key, cert, aacs->vid, aacs->pmsn);
npzacs's avatar
npzacs committed
312 313
        switch (mmc_result) {
            case MMC_SUCCESS:
314
                mkb_close(hrl_mkb);
npzacs's avatar
npzacs committed
315
                mmc_close(mmc);
npzacs's avatar
npzacs committed
316 317
                /* cache vid */
                keycache_save("vid", aacs->disc_id, aacs->vid, 16);
npzacs's avatar
npzacs committed
318 319 320 321 322 323 324 325
                return AACS_SUCCESS;
            case MMC_ERROR_CERT_REVOKED:
                error_code = AACS_ERROR_CERT_REVOKED;
                break;
            case MMC_ERROR:
            default:
                error_code = AACS_ERROR_MMC_FAILURE;
                break;
326 327 328
        }
    }

329
    mkb_close(hrl_mkb);
330 331 332
    mmc_close(mmc);

    DEBUG(DBG_AACS, "Error reading VID!\n");
npzacs's avatar
npzacs committed
333
    return error_code;
334
}
cRTrn13's avatar
openssl  
cRTrn13 committed
335

336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382
static int _read_read_data_key(AACS *aacs, cert_list *hcl)
{
    MMC* mmc = NULL;
    if (!(mmc = mmc_open(aacs->path))) {
        return AACS_ERROR_MMC_OPEN;
    }

    int error_code = AACS_ERROR_NO_CERT;

    for (;hcl && hcl->host_priv_key && hcl->host_cert; hcl = hcl->next) {

        char tmp_str[2*92+1];
        uint8_t priv_key[20], cert[92];
        hexstring_to_hex_array(priv_key, sizeof(priv_key), hcl->host_priv_key);
        hexstring_to_hex_array(cert,     sizeof(cert),     hcl->host_cert);

        if (!crypto_aacs_verify_host_cert(cert)) {
            DEBUG(DBG_AACS, "Not using invalid host certificate %s.\n",
                  print_hex(tmp_str, cert, 92));
            continue;
        }

        DEBUG(DBG_AACS, "Trying host certificate (id 0x%s)...\n",
              print_hex(tmp_str, cert + 4, 6));

        int mmc_result = mmc_read_data_keys(mmc, priv_key, cert, aacs->read_data_key, NULL);

        switch (mmc_result) {
            case MMC_SUCCESS:
                mmc_close(mmc);
                return AACS_SUCCESS;
            case MMC_ERROR_CERT_REVOKED:
                error_code = AACS_ERROR_CERT_REVOKED;
                break;
            case MMC_ERROR:
            default:
                error_code = AACS_ERROR_MMC_FAILURE;
                break;
        }
    }

    mmc_close(mmc);

    DEBUG(DBG_AACS, "Error reading read data key!\n");
    return error_code;
}

383
static int _calc_vuk(AACS *aacs, uint8_t *mk, uint8_t *vuk,
npzacs's avatar
npzacs committed
384
                     pk_list *pkl, cert_list *host_cert_list)
385
{
npzacs's avatar
npzacs committed
386 387
    int error_code;

388
    /* Skip if retrieved from config file */
389
    if (memcmp(vuk, empty_key, 16)) {
npzacs's avatar
npzacs committed
390 391 392
        DEBUG(DBG_AACS, "Using VUK from config file\n");
        return AACS_SUCCESS;
    }
393

npzacs's avatar
npzacs committed
394
    /* get cached vuk */
395
    if (keycache_find("vuk", aacs->disc_id, vuk, 16)) {
npzacs's avatar
npzacs committed
396
        DEBUG(DBG_AACS, "Using cached VUK\n");
npzacs's avatar
npzacs committed
397
        return AACS_SUCCESS;
npzacs's avatar
npzacs committed
398 399
    }

400
    /* make sure we have media key */
npzacs's avatar
npzacs committed
401
    error_code = _calc_mk(aacs, mk, pkl);
npzacs's avatar
npzacs committed
402 403
    if (error_code != AACS_SUCCESS) {
        return error_code;
404 405
    }

npzacs's avatar
npzacs committed
406
    /* acquire VID */
407
    error_code = _read_vid(aacs, host_cert_list, 0);
npzacs's avatar
npzacs committed
408 409 410
    if (error_code != AACS_SUCCESS) {
        return error_code;
    }
411

npzacs's avatar
npzacs committed
412 413
    int a;
    gcry_cipher_hd_t gcry_h;
414

npzacs's avatar
npzacs committed
415
    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0);
416 417
    gcry_cipher_setkey(gcry_h, mk, 16);
    gcry_cipher_decrypt(gcry_h, vuk, 16, aacs->vid, 16);
npzacs's avatar
npzacs committed
418
    gcry_cipher_close(gcry_h);
419

npzacs's avatar
npzacs committed
420
    for (a = 0; a < 16; a++) {
421
        vuk[a] ^= aacs->vid[a];
npzacs's avatar
npzacs committed
422
    }
423

npzacs's avatar
npzacs committed
424
    char str[40];
425
    DEBUG(DBG_AACS, "Volume unique key: %s\n", print_hex(str, vuk, 16));
426

npzacs's avatar
npzacs committed
427
    /* cache vuk */
428
    keycache_save("vuk", aacs->disc_id, vuk, 16);
npzacs's avatar
npzacs committed
429

npzacs's avatar
npzacs committed
430
    return AACS_SUCCESS;
cRTrn13's avatar
openssl  
cRTrn13 committed
431 432
}

433 434
static uint16_t _read_u16(AACS_FILE_H *fp)
{
npzacs's avatar
npzacs committed
435
  uint8_t data[2] = {0, 0};
436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481

  file_read(fp, data, sizeof(uint16_t));

  return MKINT_BE16(data);
}

static void _read_uks_map(AACS *aacs, AACS_FILE_H *fp)
{
    uint16_t first_play, top_menu;
    unsigned i;

    DEBUG(DBG_AACS, "Assigning CPS units to titles ...\n");

    X_FREE(aacs->cps_units);
    aacs->current_cps_unit = 0;

    file_seek(fp, 16 + 4, SEEK_SET);

    first_play = _read_u16(fp);
    top_menu   = _read_u16(fp);

    DEBUG(DBG_AACS, "Title FP : CPS unit %d\n", first_play);
    DEBUG(DBG_AACS, "Title TM : CPS unit %d\n", top_menu);

    aacs->num_titles   = _read_u16(fp);
    aacs->cps_units    = calloc(sizeof(uint16_t), aacs->num_titles + 2);
    aacs->cps_units[0] = first_play;
    aacs->cps_units[1] = top_menu;

    for (i = 2; i < aacs->num_titles + 2; i++) {
        _read_u16(fp); /* reserved */
        aacs->cps_units[i] = _read_u16(fp);
        DEBUG(DBG_AACS, "Title %02d : CPS unit %d\n", i - 1, aacs->cps_units[i]);
    }

    /* validate */
    for (i = 0; i < aacs->num_titles + 2; i++) {
        if (aacs->cps_units[i])
            aacs->cps_units[i]--; /* number [1...N] --> index [0...N-1] */
        if (aacs->cps_units[i] >= aacs->num_uks) {
            DEBUG(DBG_AACS, " *** Invalid CPS unit for title %d: %d !\n", (int) i - 1, aacs->cps_units[i]);
            aacs->cps_units[i] = 0;
        }
    }
}

npzacs's avatar
npzacs committed
482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497
static AACS_FILE_H *_open_unit_key_file(const char *path)
{
    AACS_FILE_H *fp;
    char        *f_name;

    f_name = str_printf("%s/AACS/Unit_Key_RO.inf", path);
    fp = file_open(f_name, "rb");

    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Error opening unit key file %s\n", f_name);
    }

    X_FREE(f_name);
    return fp;
}

498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513
static AACS_FILE_H *_open_content_certificate_file(const char *path)
{
    AACS_FILE_H *fp;
    char        *f_name;

    f_name = str_printf("%s/AACS/Content000.cer", path);
    fp = file_open(f_name, "rb");

    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Error opening content certificate file %s\n", f_name);
    }

    X_FREE(f_name);
    return fp;
}

npzacs's avatar
npzacs committed
514
/* Function that collects keys from keydb config entry */
515 516
static void _find_config_entry(AACS *aacs, title_entry_list *ce,
                               uint8_t *mk, uint8_t *vuk)
npzacs's avatar
npzacs committed
517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540
{
    uint8_t discid[20];
    char str[48];

    aacs->uks = NULL;
    aacs->num_uks = 0;

        while (ce && ce->entry.discid) {
            memset(discid, 0, sizeof(discid));
            hexstring_to_hex_array(discid, sizeof(discid),
                                   ce->entry.discid);
            if (!memcmp(aacs->disc_id, discid, 20)) {
                DEBUG(DBG_AACS, "Found config entry for discid %s\n",
                      ce->entry.discid);
                break;
            }

            ce = ce->next;
        }
        if (!ce) {
            return;
        }

        if (ce->entry.mek) {
541
            hexstring_to_hex_array(mk, 16, ce->entry.mek);
npzacs's avatar
npzacs committed
542 543

            DEBUG(DBG_AACS, "Found media key for %s: %s\n",
544
                  ce->entry.discid, print_hex(str, mk, 16));
npzacs's avatar
npzacs committed
545 546 547 548 549 550 551 552 553 554 555
        }

        if (ce->entry.vid) {
            hexstring_to_hex_array(aacs->vid, sizeof(aacs->vid),
                                    ce->entry.vid);

            DEBUG(DBG_AACS, "Found volume id for %s: %s\n",
                  ce->entry.discid, print_hex(str, aacs->vid, 16));
        }

        if (ce->entry.vuk) {
556
            hexstring_to_hex_array(vuk, 16, ce->entry.vuk);
npzacs's avatar
npzacs committed
557 558

            DEBUG(DBG_AACS, "Found volume unique key for %s: %s\n",
559
                  ce->entry.discid, print_hex(str, vuk, 16));
npzacs's avatar
npzacs committed
560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581
        }

        if (ce->entry.uk) {
            DEBUG(DBG_AACS, "Acquire CPS unit keys from keydb config file...\n");

            digit_key_pair_list *ukcursor = ce->entry.uk;
            while (ukcursor && ukcursor->key_pair.key) {
                aacs->num_uks++;

                aacs->uks = (uint8_t*)realloc(aacs->uks, 16 * aacs->num_uks);
                hexstring_to_hex_array(aacs->uks + (16 * (aacs->num_uks - 1)), 16,
                                      ukcursor->key_pair.key);

                DEBUG(DBG_AACS, "Unit key %d from keydb entry: %s\n",
                      aacs->num_uks,
                      print_hex(str, aacs->uks + (16 * (aacs->num_uks - 1)), 16));

                ukcursor = ukcursor->next;
            }
        }
}

582
static int _calc_uks(AACS *aacs, config_file *cf)
cRTrn13's avatar
openssl  
cRTrn13 committed
583
{
584
    AACS_FILE_H *fp = NULL;
585
    uint8_t  buf[16];
586
    uint64_t f_pos;
587
    unsigned int i;
npzacs's avatar
npzacs committed
588
    int error_code;
cRTrn13's avatar
openssl  
cRTrn13 committed
589

590 591 592 593 594
    uint8_t mk[16] = {0}, vuk[16] = {0};

    DEBUG(DBG_AACS, "Searching for keydb config entry...\n");
    _find_config_entry(aacs, cf->list, mk, vuk);

595
    /* Skip if retrieved from config file */
596
    if (aacs->uks) {
npzacs's avatar
npzacs committed
597
        return AACS_SUCCESS;
598
    }
599

600
    /* Make sure we have VUK */
601
    error_code = _calc_vuk(aacs, mk, vuk, cf->pkl, cf->host_cert_list);
npzacs's avatar
npzacs committed
602 603
    if (error_code != AACS_SUCCESS) {
        return error_code;
604
    }
605

606 607
    DEBUG(DBG_AACS, "Calculate CPS unit keys...\n");

npzacs's avatar
npzacs committed
608
    fp = _open_unit_key_file(aacs->path);
npzacs's avatar
npzacs committed
609 610 611
    if (!fp) {
        return AACS_ERROR_CORRUPTED_DISC;
    }
cRTrn13's avatar
openssl  
cRTrn13 committed
612

npzacs's avatar
npzacs committed
613 614
    if ((file_read(fp, buf, 4)) == 4) {
        f_pos = MKINT_BE32(buf);
npzacs's avatar
npzacs committed
615

npzacs's avatar
npzacs committed
616 617 618 619
        // Read number of keys
        file_seek(fp, f_pos, SEEK_SET);
        if ((file_read(fp, buf, 2)) == 2) {
            aacs->num_uks = MKINT_BE16(buf);
npzacs's avatar
npzacs committed
620

npzacs's avatar
npzacs committed
621 622
            X_FREE(aacs->uks);
            aacs->uks = calloc(aacs->num_uks, 16);
npzacs's avatar
npzacs committed
623

npzacs's avatar
npzacs committed
624
            DEBUG(DBG_AACS, "%d CPS unit keys\n", aacs->num_uks);
npzacs's avatar
npzacs committed
625

npzacs's avatar
npzacs committed
626 627 628 629 630
        } else {
            aacs->num_uks = 0;
            DEBUG(DBG_AACS | DBG_CRIT, "Error reading number of unit keys\n");
            error_code = AACS_ERROR_CORRUPTED_DISC;
        }
cRTrn13's avatar
openssl  
cRTrn13 committed
631

npzacs's avatar
npzacs committed
632 633 634
        // Read keys
        for (i = 0; i < aacs->num_uks; i++) {
            f_pos += 48;
cRTrn13's avatar
openssl  
cRTrn13 committed
635

npzacs's avatar
npzacs committed
636 637 638 639 640 641
            file_seek(fp, f_pos, SEEK_SET);
            if ((file_read(fp, buf, 16)) != 16) {
                DEBUG(DBG_AACS, "Unit key %d: read error\n", i);
                aacs->num_uks = i;
                error_code = AACS_ERROR_CORRUPTED_DISC;
                break;
npzacs's avatar
npzacs committed
642
            }
cRTrn13's avatar
openssl  
cRTrn13 committed
643

npzacs's avatar
npzacs committed
644 645 646
            gcry_cipher_hd_t gcry_h;
            gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES,
                             GCRY_CIPHER_MODE_ECB, 0);
647
            gcry_cipher_setkey(gcry_h, vuk, 16);
npzacs's avatar
npzacs committed
648 649
            gcry_cipher_decrypt(gcry_h, aacs->uks + 16*i, 16, buf, 16);
            gcry_cipher_close(gcry_h);
cRTrn13's avatar
openssl  
cRTrn13 committed
650

npzacs's avatar
npzacs committed
651 652 653
            char str[40];
            DEBUG(DBG_AACS, "Unit key %d: %s\n", i,
                  print_hex(str, aacs->uks + 16*i, 16));
654 655
        }

npzacs's avatar
npzacs committed
656 657 658
        /* failing next is not fatal, it just slows down things */
        _read_uks_map(aacs, fp);

659
        file_close(fp);
cRTrn13's avatar
openssl  
cRTrn13 committed
660

npzacs's avatar
npzacs committed
661 662 663 664 665 666 667
        return error_code;
    }

    file_close(fp);

    DEBUG(DBG_AACS | DBG_CRIT, "Error reading unit keys\n");
    return AACS_ERROR_CORRUPTED_DISC;
cRTrn13's avatar
openssl  
cRTrn13 committed
668 669
}

670 671
static int _calc_title_hash(const char *path, uint8_t *title_hash)
{
672
    AACS_FILE_H *fp = NULL;
673 674 675
    uint8_t *ukf_buf;
    char     str[48];
    int64_t  f_size;
npzacs's avatar
npzacs committed
676
    int      result = AACS_SUCCESS;
677

npzacs's avatar
npzacs committed
678 679 680
    fp = _open_unit_key_file(path);
    if (!fp) {
        return AACS_ERROR_CORRUPTED_DISC;
681 682 683 684 685 686 687 688
    }

    file_seek(fp, 0, SEEK_END);
    f_size = file_tell(fp);
    file_seek(fp, 0, SEEK_SET);

    ukf_buf = malloc(f_size);

npzacs's avatar
npzacs committed
689 690 691
    if ((file_read(fp, ukf_buf, f_size)) == f_size) {
        crypto_aacs_title_hash(ukf_buf, f_size, title_hash);
        DEBUG(DBG_AACS, "Disc ID: %s\n", print_hex(str, title_hash, 20));
cRTrn13's avatar
cRTrn13 committed
692

npzacs's avatar
npzacs committed
693 694 695
    } else {
        result = AACS_ERROR_CORRUPTED_DISC;
        DEBUG(DBG_AACS | DBG_CRIT, "Failed to read %"PRIu64" bytes from unit key file %s/AACS/Unit_Key_RO.inf", f_size, path);
696 697 698 699 700
    }

    file_close(fp);
    X_FREE(ukf_buf);

npzacs's avatar
npzacs committed
701
    return result;
702
}
cRTrn13's avatar
cRTrn13 committed
703

704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747
static int _get_bus_encryption_enabled(const char *path)
{
    AACS_FILE_H *fp = NULL;
    uint8_t buf[2];
    int bee = 0;

    fp = _open_content_certificate_file(path);
    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Unable to open content certificate\n");
        return 0;
    }

    if (file_read(fp, buf, 2) == 2) {
        bee = (buf[1] & 0x80) >> 7;
        DEBUG(DBG_AACS, "Bus Encryption Enabled flag in content certificate: %d\n", bee);
    } else {
        DEBUG(DBG_AACS | DBG_CRIT, "Failed to read Bus Encryption Enabled flag from content certificate file\n");
    }

    file_close(fp);
    return bee;
}

static int _get_bus_encryption_capable(const char *path)
{
    MMC* mmc = NULL;
    uint8_t drive_cert[92];
    int bec = 0;

    if (!(mmc = mmc_open(path))) {
        return 0;
    }

    if (mmc_read_drive_cert(mmc, drive_cert) == MMC_SUCCESS) {
        bec = drive_cert[1] & 1;
        DEBUG(DBG_AACS, "Bus Encryption Capable flag in drive certificate: %d\n", bec);
    } else {
        DEBUG(DBG_AACS | DBG_CRIT, "Unable to read drive certificate\n");
    }

    mmc_close(mmc);
    return bec;
}

npzacs's avatar
npzacs committed
748
static int _verify_ts(uint8_t *buf, size_t size)
749
{
750 751
    uint8_t *ptr;

cRTrn13's avatar
cRTrn13 committed
752 753 754 755 756 757 758
    if (size < 192) {
        return 1;
    }

    for (ptr=buf; ptr < buf+192; ptr++) {
        int failed = 0;
        if (*ptr == 0x47) {
759 760 761 762
            uint8_t *ptr2;

            for (ptr2=ptr; ptr2 < buf + size; ptr2 += 192) {
                if (*ptr2 != 0x47) {
cRTrn13's avatar
cRTrn13 committed
763 764
                    failed = 1;
                    break;
765 766
                }
            }
cRTrn13's avatar
cRTrn13 committed
767 768 769
            if (!failed) {
                return 1;
            }
770 771 772 773
        }
        ptr++;
    }

cRTrn13's avatar
cRTrn13 committed
774
    DEBUG(DBG_AACS, "Failed to verify TS!\n");
775

cRTrn13's avatar
cRTrn13 committed
776
    return 0;
777 778
}

779
#define ALIGNED_UNIT_LEN 6144
780
static int _decrypt_unit(AACS *aacs, uint8_t *out_buf, const uint8_t *in_buf, uint32_t curr_uk)
cRTrn13's avatar
cRTrn13 committed
781
{
782 783
    gcry_cipher_hd_t gcry_h;
    int a;
784
    uint8_t key[16];
785 786 787

    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0);
    gcry_cipher_setkey(gcry_h, aacs->uks + curr_uk * 16, 16);
788
    gcry_cipher_encrypt(gcry_h, key, 16, in_buf, 16);
789
    gcry_cipher_close(gcry_h);
cRTrn13's avatar
cRTrn13 committed
790

cRTrn13's avatar
cRTrn13 committed
791
    for (a = 0; a < 16; a++) {
792
        key[a] ^= in_buf[a];
cRTrn13's avatar
cRTrn13 committed
793 794
    }

795 796
    memcpy(out_buf, in_buf, 16); /* first 16 bytes are plain */

797 798
    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
    gcry_cipher_setkey(gcry_h, key, 16);
799
    gcry_cipher_setiv(gcry_h, aacs_iv, 16);
800
    gcry_cipher_decrypt(gcry_h, out_buf + 16, ALIGNED_UNIT_LEN - 16, in_buf + 16, ALIGNED_UNIT_LEN - 16);
801
    gcry_cipher_close(gcry_h);
cRTrn13's avatar
cRTrn13 committed
802

803
    if (_verify_ts(out_buf, ALIGNED_UNIT_LEN)) {
cRTrn13's avatar
cRTrn13 committed
804 805 806
        return 1;
    }

807
    if (curr_uk < aacs->num_uks - 1) {
808
        return _decrypt_unit(aacs, out_buf, in_buf, curr_uk++);
npzacs's avatar
npzacs committed
809 810
    }

cRTrn13's avatar
cRTrn13 committed
811 812 813
    return 0;
}

814
#define SECTOR_LEN 2048
815
static void _decrypt_bus(AACS *aacs, uint8_t *buf)
816 817 818 819 820
{
    gcry_cipher_hd_t gcry_h;

    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
    gcry_cipher_setkey(gcry_h, aacs->read_data_key, 16);
821
    gcry_cipher_setiv(gcry_h, aacs_iv, 16);
822
    gcry_cipher_decrypt(gcry_h, buf + 16, SECTOR_LEN - 16, NULL, 0);
823 824 825
    gcry_cipher_close(gcry_h);
}

npzacs's avatar
npzacs committed
826 827
void aacs_get_version(int *major, int *minor, int *micro)
{
npzacs's avatar
npzacs committed
828 829 830
    *major = AACS_VERSION_MAJOR;
    *minor = AACS_VERSION_MINOR;
    *micro = AACS_VERSION_MICRO;
npzacs's avatar
npzacs committed
831 832
}

npzacs's avatar
npzacs committed
833
/* aacs_open2() wrapper for backwards compability */
cRTrn13's avatar
cRTrn13 committed
834
AACS *aacs_open(const char *path, const char *configfile_path)
npzacs's avatar
npzacs committed
835 836 837 838 839 840 841 842 843 844 845 846 847 848
{
    int error_code;
    AACS *aacs;

    aacs = aacs_open2(path, configfile_path, &error_code);
    if (error_code == AACS_SUCCESS) {
        return aacs;
    }

    aacs_close(aacs);
    return NULL;
}

AACS *aacs_open2(const char *path, const char *configfile_path, int *error_code)
cRTrn13's avatar
cRTrn13 committed
849
{
npzacs's avatar
npzacs committed
850
    DEBUG(DBG_AACS, "libaacs "AACS_VERSION_STRING" [%zd]\n", sizeof(AACS));
cRTrn13's avatar
cRTrn13 committed
851

852
    DEBUG(DBG_AACS, "Initializing libgcrypt...\n");
npzacs's avatar
npzacs committed
853
    if (!crypto_init()) {
npzacs's avatar
npzacs committed
854
        DEBUG(DBG_AACS | DBG_CRIT, "Failed to initialize libgcrypt\n");
855 856
        return NULL;
    }
857

cRTrn13's avatar
cRTrn13 committed
858
    AACS *aacs = calloc(1, sizeof(AACS));
859
    config_file *cf;
860

npzacs's avatar
npzacs committed
861 862
    aacs->path = str_printf("%s", path);

npzacs's avatar
npzacs committed
863 864 865 866 867
    *error_code = _calc_title_hash(path, aacs->disc_id);
    if (*error_code != AACS_SUCCESS) {
        aacs_close(aacs);
        return NULL;
    }
npzacs's avatar
npzacs committed
868

869 870 871
    cf = keydbcfg_config_load(configfile_path);
    if (!cf) {
        *error_code = AACS_ERROR_NO_CONFIG;
npzacs's avatar
npzacs committed
872
        return aacs;
873 874
    }

npzacs's avatar
npzacs committed
875
    DEBUG(DBG_AACS, "Starting AACS waterfall...\n");
876 877 878 879
    *error_code = _calc_uks(aacs, cf);
    if (*error_code != AACS_SUCCESS) {
        DEBUG(DBG_AACS, "Failed to initialize AACS!\n");
    }
cRTrn13's avatar
cRTrn13 committed
880

881 882 883
    aacs->bee = _get_bus_encryption_enabled(path);
    aacs->bec = _get_bus_encryption_capable(path);

npzacs's avatar
npzacs committed
884
    if (*error_code == AACS_SUCCESS && aacs->bee && aacs->bec) {
885 886 887 888
        *error_code = _read_read_data_key(aacs, cf->host_cert_list);
        if (*error_code != AACS_SUCCESS) {
            DEBUG(DBG_AACS | DBG_CRIT, "Unable to initialize bus encryption required by drive and disc\n");
        }
npzacs's avatar
npzacs committed
889
    }
890

891 892 893 894
    keydbcfg_config_file_close(cf);

    DEBUG(DBG_AACS, "AACS initialized!\n");

npzacs's avatar
npzacs committed
895
    return aacs;
cRTrn13's avatar
cRTrn13 committed
896 897
}

cRTrn13's avatar
cRTrn13 committed
898
void aacs_close(AACS *aacs)
cRTrn13's avatar
cRTrn13 committed
899
{
npzacs's avatar
npzacs committed
900 901 902
    if (!aacs)
        return;

903
    X_FREE(aacs->uks);
904
    X_FREE(aacs->cps_units);
npzacs's avatar
npzacs committed
905
    X_FREE(aacs->path);
906

907
    DEBUG(DBG_AACS, "AACS destroyed!\n");
cRTrn13's avatar
cRTrn13 committed
908

cRTrn13's avatar
cRTrn13 committed
909 910 911
    X_FREE(aacs);
}

912
int aacs_decrypt_unit(AACS *aacs, uint8_t *buf)
913
{
914
    uint8_t out_buf[ALIGNED_UNIT_LEN];
915
    int i;
916

917 918 919 920 921
    if (!(buf[0] & 0xc0)) {
        // TP_extra_header Copy_permission_indicator == 0, unit is not encrypted
        return 1;
    }

922 923
    if (aacs->bee && aacs->bec) {
        for (i = 0; i < ALIGNED_UNIT_LEN; i += SECTOR_LEN) {
924
            _decrypt_bus(aacs, buf + i);
925 926 927
        }
    }

928
    if (_decrypt_unit(aacs, out_buf, buf, aacs->current_cps_unit)) {
929
        memcpy(buf, out_buf, ALIGNED_UNIT_LEN);