aacs.c 35.2 KB
Newer Older
1 2
/*
 * This file is part of libaacs
3
 * Copyright (C) 2009-2010  Obliter0n
npzacs's avatar
npzacs committed
4
 * Copyright (C) 2009-2010  npzacs
5
 *
gates's avatar
gates committed
6 7 8 9
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
10
 *
gates's avatar
gates committed
11
 * This library is distributed in the hope that it will be useful,
12
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
gates's avatar
gates committed
13 14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
15
 *
gates's avatar
gates committed
16 17 18
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library. If not, see
 * <http://www.gnu.org/licenses/>.
19 20
 */

npzacs's avatar
npzacs committed
21 22 23 24
#if HAVE_CONFIG_H
#include "config.h"
#endif

npzacs's avatar
npzacs committed
25 26
#include <util/attributes.h>

npzacs's avatar
npzacs committed
27
#include "aacs-version.h"
cRTrn13's avatar
cRTrn13 committed
28
#include "aacs.h"
29
#include "crypto.h"
cRTrn13's avatar
cRTrn13 committed
30
#include "mmc.h"
31
#include "mkb.h"
gates's avatar
gates committed
32
#include "file/file.h"
gates's avatar
gates committed
33
#include "file/keydbcfg.h"
34 35
#include "util/macro.h"
#include "util/logging.h"
36
#include "util/strutl.h"
cRTrn13's avatar
cRTrn13 committed
37

38
#include <inttypes.h>
39
#include <string.h>
40
#include <stdio.h>
npzacs's avatar
npzacs committed
41 42 43
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
#endif
44
#include <gcrypt.h>
45

npzacs's avatar
npzacs committed
46

npzacs's avatar
npzacs committed
47
struct aacs {
npzacs's avatar
npzacs committed
48 49 50 51 52
    /* current disc */
    char     *path;
    int       mkb_version;
    uint8_t   disc_id[20];

53 54
    /* VID is cached for BD-J */
    uint8_t   vid[16];
55 56
    /* PMSN is cached for BD-J */
    uint8_t   pmsn[16];
npzacs's avatar
npzacs committed
57 58
    /* Media key is cached for BD+ */
    uint8_t   mk[16];
npzacs's avatar
npzacs committed
59 60 61 62

    /* unit key for each CPS unit */
    uint32_t  num_uks;
    uint8_t  *uks;
npzacs's avatar
npzacs committed
63

npzacs's avatar
npzacs committed
64 65 66 67 68 69
    /* CPS unit of currently selected title */
    uint16_t  current_cps_unit;

    /* title -> CPS unit mappings */
    uint32_t  num_titles;
    uint16_t *cps_units;  /* [0] = first play ; [1] = top menu ; [2] = title 1 ... */
70 71 72 73

    /* bus encryption */
    int       bee;        /* bus encryption enabled flag in content certificate */
    int       bec;        /* bus encryption capable flag in drive certificate */
74
    uint8_t   read_data_key[16];
75 76 77 78

    /* AACS Online (BD-J) */
    uint8_t   device_nonce[16];
    uint8_t   device_binding_id[16];
npzacs's avatar
npzacs committed
79 80
};

81 82
static const uint8_t empty_key[] = "\x00\x00\x00\x00\x00\x00\x00\x00"
                                   "\x00\x00\x00\x00\x00\x00\x00\x00";
83 84
static const uint8_t aacs_iv[]   = "\x0b\xa0\xf8\xdd\xfe\xa6\x1f\xb3"
                                   "\xd8\xdf\x9f\x56\x6a\x05\x0f\x78";
85

86 87
static int _validate_pk(const uint8_t *pk,
                        const uint8_t *cvalue, const uint8_t *uv, const uint8_t *vd,
npzacs's avatar
npzacs committed
88
                        uint8_t *mk)
cRTrn13's avatar
cRTrn13 committed
89
{
90
    gcry_cipher_hd_t gcry_h;
npzacs's avatar
npzacs committed
91
    int a;
cRTrn13's avatar
cRTrn13 committed
92
    uint8_t dec_vd[16];
93
    char str[40];
cRTrn13's avatar
cRTrn13 committed
94

95
    DEBUG(DBG_AACS, "Validate processing key %s...\n", print_hex(str, pk, 16));
cRTrn13's avatar
cRTrn13 committed
96
    DEBUG(DBG_AACS, " Using:\n");
97 98 99
    DEBUG(DBG_AACS, "   UV: %s\n", print_hex(str, uv, 4));
    DEBUG(DBG_AACS, "   cvalue: %s\n", print_hex(str, cvalue, 16));
    DEBUG(DBG_AACS, "   Verification data: %s\n", print_hex(str, vd, 16));
100

101 102 103
    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0);
    gcry_cipher_setkey(gcry_h, pk, 16);
    gcry_cipher_decrypt(gcry_h, mk, 16, cvalue, 16);
104

cRTrn13's avatar
cRTrn13 committed
105 106 107 108
    for (a = 0; a < 4; a++) {
        mk[a + 12] ^= uv[a];
    }

109 110 111
    gcry_cipher_setkey(gcry_h, mk, 16);
    gcry_cipher_decrypt (gcry_h, dec_vd, 16, vd, 16);
    gcry_cipher_close(gcry_h);
112

cRTrn13's avatar
cRTrn13 committed
113
    if (!memcmp(dec_vd, "\x01\x23\x45\x67\x89\xAB\xCD\xEF", 8)) {
npzacs's avatar
npzacs committed
114
        DEBUG(DBG_AACS, "Processing key %s is valid!\n", print_hex(str, pk, 16));
npzacs's avatar
npzacs committed
115
        return AACS_SUCCESS;
cRTrn13's avatar
cRTrn13 committed
116 117
    }

npzacs's avatar
npzacs committed
118
    return AACS_ERROR_NO_PK;
cRTrn13's avatar
cRTrn13 committed
119
}
120

121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
static int _rl_verify_signature(const uint8_t *rl, size_t size)
{
    int    entries = MKINT_BE32(rl + 12 + 8);
    size_t len     = 12 + 12 + 8 * entries; /* type_and_version_rec=12, rl_header=12, rl=entries*8 */

    if (len + 40 > size) {
        DEBUG(DBG_AACS, "revocation list size mismatch\n");
        return 0;
    }

    return crypto_aacs_verify_aacsla(rl + len, rl, len);
}

static void _update_drl(MKB *mkb)
{
    uint32_t version = mkb_version(mkb);
    uint32_t cache_version;

    if (!cache_get("drl", &cache_version, NULL, NULL) || cache_version < version) {
        size_t drl_len;
        const uint8_t *drl_rec = mkb_drive_revokation_entries(mkb, &drl_len);
        const uint8_t *v_rec   = mkb_type_and_version_record(mkb);

        if (drl_rec && v_rec) {
            drl_rec -= 4;
            drl_len += 4;

            uint8_t *data = malloc(12 + drl_len);
            memcpy(data,      v_rec,   12);
            memcpy(data + 12, drl_rec, drl_len);
            if (!_rl_verify_signature(data, drl_len + 12)) {
                DEBUG(DBG_AACS | DBG_CRIT, "invalid drive revocation list signature, not using it\n");
            } else {
                cache_save("drl", version, data, drl_len + 12);
            }
            X_FREE(data);
        }
    }
}

161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213
static uint32_t _calc_v_mask(uint32_t uv)
{
    uint32_t v_mask = 0xffffffff;

    while (!(uv & ~v_mask)) {
        v_mask <<= 1;
    }

    return v_mask;
}

static void _calc_pk(const uint8_t *dk, uint8_t *pk, uint32_t uv, uint32_t v_mask, uint32_t dev_key_v_mask)
{
    unsigned char left_child[16], right_child[16];

    crypto_aesg3(dk, left_child, right_child, pk);

    while (dev_key_v_mask != v_mask) {

        int i;
        for (i = 31; i >= 0; i--) {
            if (!(dev_key_v_mask & (1ul << i))) {
                break;
            }
        }

        uint8_t curr_key[16];
        if (!(uv & (1ul << i))) {
            memcpy(curr_key, left_child, 16);
        } else {
            memcpy(curr_key, right_child, 16);
        }

        crypto_aesg3(curr_key, left_child, right_child, pk);

        dev_key_v_mask = ((int) dev_key_v_mask) >> 1;
    }

    char str[40];
    DEBUG(DBG_AACS, "Processing key: %s\n",  print_hex(str, pk, 16));
}

static dk_list *_find_dk(dk_list *dkl, uint32_t *p_dev_key_v_mask, uint32_t uv, uint32_t u_mask)
{
    uint32_t device_number = dkl->node;
    uint32_t dev_key_uv, dev_key_u_mask, dev_key_v_mask;
    unsigned key_idx = 0;

    for (; dkl; dkl = dkl->next) {
        if (device_number != dkl->node) {
            /* wrong device */
            continue;
        }
npzacs's avatar
npzacs committed
214 215 216
        if (!dkl->uv) {
            continue;
        }
217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270
        key_idx++;
        dev_key_uv     = dkl->uv;
        dev_key_u_mask = 0xffffffff << dkl->u_mask_shift;
        dev_key_v_mask = _calc_v_mask(dev_key_uv);

        if ((u_mask == dev_key_u_mask) &&
            ((uv & dev_key_v_mask) == (dev_key_uv & dev_key_v_mask))) {
            break;
        }
    }

    if (!dkl) {
        DEBUG(DBG_AACS | DBG_CRIT, "could not find applying device key (device 0x%x)\n", device_number);
    } else {
        char str[128];
        DEBUG(DBG_AACS, "Applying device key is #%d %s\n", key_idx, print_hex(str, dkl->key, 16));
        DEBUG(DBG_AACS, "  UV: 0x%08x  U mask: 0x%08x  V mask: 0x%08x\n", dev_key_uv, dev_key_u_mask, dev_key_v_mask);
        *p_dev_key_v_mask = dev_key_v_mask;
    }

    return dkl;
}

static int _calc_pk_mk(MKB *mkb, dk_list *dkl, uint8_t *mk)
{
    /* calculate processing key and media key using device keys */

    const uint8_t *uvs, *cvalues;
    unsigned num_uvs;
    size_t len;
    char str[128];

    /* get mkb data */

    uvs     = mkb_subdiff_records(mkb, &len);
    cvalues = mkb_cvalues(mkb, &len);
    num_uvs = len / 5;

    if (num_uvs < 1) {
        return AACS_ERROR_CORRUPTED_DISC;
    }

    /* loop over all known devices */

    dk_list *dk_num;
    uint32_t device_number = (uint32_t)-1;

    for (dk_num = dkl; dk_num; dk_num = dk_num->next) {

        /* find next device */

        if (device_number == dk_num->node) {
            continue;
        }
271
        device_number = dk_num->node;
272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348

        /* find applying subset difference */

        unsigned uvs_idx;
        uint32_t u_mask, v_mask, uv;

        for (uvs_idx = 0; uvs_idx < num_uvs; uvs_idx++) {
            const uint8_t *p_uv = uvs + 1 + 5 * uvs_idx;
            uint8_t u_mask_shift = p_uv[-1];

            uv = MKINT_BE32(p_uv);
            if (!uv) {
                continue;
            }

            if (u_mask_shift & 0xc0) {
                DEBUG(DBG_AACS | DBG_CRIT, "device 0x%x is revoked\n", device_number);
                uvs_idx = num_uvs;

            } else {

                u_mask = 0xffffffff << u_mask_shift;
                v_mask = _calc_v_mask(uv);

                if (((device_number & u_mask) == (uv & u_mask)) && ((device_number & v_mask) != (uv & v_mask))) {
                    break;
                }
            }
        }

        if (uvs_idx >= num_uvs) {
            DEBUG(DBG_AACS | DBG_CRIT, "could not find applying subset-difference for device 0x%x\n", device_number);
            /* try next device */
            continue;
        }

        DEBUG(DBG_AACS, "Applying subset-difference for device 0x%x is #%d:\n", device_number, uvs_idx);
        DEBUG(DBG_AACS,"  UV: 0x%08x  U mask: 0x%08x  V mask: 0x%08x\n", uv, u_mask, v_mask);

        /* find applying device key */

        uint32_t dev_key_v_mask = 0;
        dk_list *dk;

        dk = _find_dk(dk_num, &dev_key_v_mask, uv, u_mask);
        if (!dk) {
            /* try next device */
            continue;
        }

        /* calculate processing key */

        uint8_t pk[16];
        _calc_pk(dk->key, pk, uv, v_mask, dev_key_v_mask);

        /* calculate and verify media key */

        if ( _validate_pk(pk,
                          cvalues + uvs_idx * 16,
                          uvs + 1 + uvs_idx * 5,
                          mkb_mk_dv(mkb),
                          mk)
             == AACS_SUCCESS) {

            DEBUG(DBG_AACS, "Media key: %s\n", print_hex(str, mk, 16));
            return AACS_SUCCESS;
        }

        DEBUG(DBG_AACS | DBG_CRIT, "Processing key %s is invalid!\n", print_hex(str, pk, 16));

        /* try next device */
    }

    return AACS_ERROR_NO_DK;
}

static int _calc_mk(AACS *aacs, uint8_t *mk, pk_list *pkl, dk_list *dkl)
cRTrn13's avatar
keyfile  
cRTrn13 committed
349 350 351 352
{
    int a, num_uvs = 0;
    size_t len;
    MKB *mkb = NULL;
353
    const uint8_t *rec, *uvs;
cRTrn13's avatar
keyfile  
cRTrn13 committed
354

355
    /* Skip if retrieved from config file */
356 357 358
    if (memcmp(mk, empty_key, 16)) {
        return AACS_SUCCESS;
    }
359

cRTrn13's avatar
cRTrn13 committed
360 361
    DEBUG(DBG_AACS, "Calculate media key...\n");

npzacs's avatar
npzacs committed
362
    if ((mkb = mkb_open(aacs->path))) {
363

npzacs's avatar
npzacs committed
364
        aacs->mkb_version = mkb_version(mkb);
365 366 367 368
        _update_drl(mkb);

        /* try device keys first */
        if (dkl && _calc_pk_mk(mkb, dkl, mk) == AACS_SUCCESS) {
npzacs's avatar
npzacs committed
369
            memcpy(aacs->mk, mk, sizeof(aacs->mk));
370 371 372 373 374
            mkb_close(mkb);
            return AACS_SUCCESS;
        }

        DEBUG(DBG_AACS, "Get UVS...\n");
375 376 377 378 379 380 381 382
        uvs = mkb_subdiff_records(mkb, &len);
        rec = uvs;
        while (rec < uvs + len) {
            if (rec[0] & 0xc0)
                break;
            rec += 5;
            num_uvs++;
        }
cRTrn13's avatar
keyfile  
cRTrn13 committed
383

384 385
        DEBUG(DBG_AACS, "Get cvalues...\n");
        rec = mkb_cvalues(mkb, &len);
386

npzacs's avatar
npzacs committed
387
        for (; pkl; pkl = pkl->next) {
388 389 390
                DEBUG(DBG_AACS, "Trying processing key...\n");

                for (a = 0; a < num_uvs; a++) {
npzacs's avatar
npzacs committed
391
                    if (AACS_SUCCESS == _validate_pk(pkl->key, rec + a * 16, uvs + 1 + a * 5,
392
                      mkb_mk_dv(mkb), mk)) {
393
                        mkb_close(mkb);
394

395
                        char str[40];
396
                        DEBUG(DBG_AACS, "Media key: %s\n", print_hex(str, mk, 16));
npzacs's avatar
npzacs committed
397
                        memcpy(aacs->mk, mk, sizeof(aacs->mk));
npzacs's avatar
npzacs committed
398
                        return AACS_SUCCESS;
399 400
                    }
                }
cRTrn13's avatar
keyfile  
cRTrn13 committed
401 402
            }

403
        mkb_close(mkb);
cRTrn13's avatar
keyfile  
cRTrn13 committed
404

npzacs's avatar
npzacs committed
405
        DEBUG(DBG_AACS | DBG_CRIT, "Error calculating media key. Missing right processing key ?\n");
npzacs's avatar
npzacs committed
406
        return AACS_ERROR_NO_PK;
npzacs's avatar
npzacs committed
407
    }
npzacs's avatar
npzacs committed
408

npzacs's avatar
npzacs committed
409
    DEBUG(DBG_AACS | DBG_CRIT, "Error opening %s/AACS/MKB_RO.inf\n", aacs->path);
npzacs's avatar
npzacs committed
410
    return AACS_ERROR_CORRUPTED_DISC;
cRTrn13's avatar
keyfile  
cRTrn13 committed
411
}
412

413 414 415 416
static MKB *_get_hrl_mkb(MMC *mmc)
{
    MKB     *mkb = NULL;
    uint8_t *data;
npzacs's avatar
npzacs committed
417
    int      mkb_size;
418

npzacs's avatar
npzacs committed
419
    data = mmc_read_mkb(mmc, 0, &mkb_size);
420 421

    /* check acquired hrl signature */
npzacs's avatar
npzacs committed
422 423 424
    if (data && mkb_size > 0) {
        if (_rl_verify_signature(data, mkb_size)) {
            mkb = mkb_init(data, mkb_size);
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469
            DEBUG(DBG_AACS, "Partial hrl mkb read. Version: %d\n", mkb_version(mkb));
        } else {
            DEBUG(DBG_AACS | DBG_CRIT, "invalid host revocation list signature, not using it\n");
            X_FREE(data);
        }
    }

    if (mkb) {
        /* use latest version, keep cache up-to-date */
        uint32_t size;
        size = mkb_data_size(mkb);
        data = cache_get_or_update("hrl", mkb_data(mkb), &size, mkb_version(mkb));

        if (!_rl_verify_signature(data, size)) {
            DEBUG(DBG_AACS | DBG_CRIT, "invalid cached revocation list signature, replacing it\n");
            cache_save("hrl", mkb_version(mkb), mkb_data(mkb), mkb_data_size(mkb));
            X_FREE(data);
        } else {
            /* use cached version */
            mkb_close(mkb);
            mkb = mkb_init(data, size);
        }

    } else {
        /* use cached version */
        uint32_t size;
        data = cache_get_or_update("hrl", NULL, &size, 0);
        if (data && size > 0) {
            if (!_rl_verify_signature(data, size)) {
                mkb = mkb_init(data, size);
            } else {
                DEBUG(DBG_AACS | DBG_CRIT, "invalid cached revocation list signature, deleting cache\n");
                cache_remove("hrl");
            }
        }
    }


    if (mkb) {
        DEBUG(DBG_AACS, "Using hrl version %d\n", mkb_version(mkb));
    }

    return mkb;
}

npzacs's avatar
npzacs committed
470
static int _mmc_read_auth(AACS *aacs, cert_list *hcl, int type, uint8_t *p1, uint8_t *p2)
cRTrn13's avatar
openssl  
cRTrn13 committed
471
{
cRTrn13's avatar
cRTrn13 committed
472
    MMC* mmc = NULL;
npzacs's avatar
npzacs committed
473
    if (!(mmc = mmc_open(aacs->path))) {
npzacs's avatar
npzacs committed
474
        return AACS_ERROR_MMC_OPEN;
475 476
    }

npzacs's avatar
npzacs committed
477 478
    int error_code = AACS_ERROR_NO_CERT;

479
    MKB *hrl_mkb = _get_hrl_mkb(mmc);
480
    const uint8_t *drive_cert = mmc_get_drive_cert(mmc);
481

npzacs's avatar
npzacs committed
482
    for (; hcl ; hcl = hcl->next) {
483 484 485

        char tmp_str[2*92+1];

npzacs's avatar
npzacs committed
486
        if (!crypto_aacs_verify_host_cert(hcl->host_cert)) {
npzacs's avatar
npzacs committed
487
            DEBUG(DBG_AACS, "Not using invalid host certificate %s.\n",
npzacs's avatar
npzacs committed
488
                  print_hex(tmp_str, hcl->host_cert, 92));
npzacs's avatar
npzacs committed
489 490
            continue;
        }
491

npzacs's avatar
npzacs committed
492
        if (mkb_host_cert_is_revoked(hrl_mkb, hcl->host_cert + 4) > 0) {
493
            DEBUG(DBG_AACS | DBG_CRIT, "Host certificate %s has been revoked.\n",
npzacs's avatar
npzacs committed
494
                  print_hex(tmp_str, hcl->host_cert + 4, 6));
495 496 497 498
            error_code = AACS_ERROR_CERT_REVOKED;
            //continue;
        }

npzacs's avatar
npzacs committed
499
        if (drive_cert && (drive_cert[1] & 0x01) && !(hcl->host_cert[1] & 0x01)) {
500
            DEBUG(DBG_AACS, "Certificate (id 0x%s) does not support bus encryption\n",
npzacs's avatar
npzacs committed
501
                  print_hex(tmp_str, hcl->host_cert + 4, 6));
502 503 504
            //continue;
        }

505
        DEBUG(DBG_AACS, "Trying host certificate (id 0x%s)...\n",
npzacs's avatar
npzacs committed
506
              print_hex(tmp_str, hcl->host_cert + 4, 6));
507

npzacs's avatar
npzacs committed
508
        int mmc_result = mmc_read_auth(mmc, hcl->host_priv_key, hcl->host_cert, type, p1, p2);
npzacs's avatar
npzacs committed
509 510
        switch (mmc_result) {
            case MMC_SUCCESS:
511
                mkb_close(hrl_mkb);
npzacs's avatar
npzacs committed
512 513 514 515 516 517 518 519 520
                mmc_close(mmc);
                return AACS_SUCCESS;
            case MMC_ERROR_CERT_REVOKED:
                error_code = AACS_ERROR_CERT_REVOKED;
                break;
            case MMC_ERROR:
            default:
                error_code = AACS_ERROR_MMC_FAILURE;
                break;
521 522 523
        }
    }

524
    mkb_close(hrl_mkb);
525 526
    mmc_close(mmc);

npzacs's avatar
npzacs committed
527
    return error_code;
528
}
cRTrn13's avatar
openssl  
cRTrn13 committed
529

npzacs's avatar
npzacs committed
530
static int _read_vid(AACS *aacs, cert_list *hcl)
531
{
npzacs's avatar
npzacs committed
532 533 534
    /* Use VID given in config file if available */
    if (memcmp(aacs->vid, empty_key, 16)) {
        return AACS_SUCCESS;
535 536
    }

npzacs's avatar
npzacs committed
537 538 539 540 541 542
    int error_code = _mmc_read_auth(aacs, hcl, MMC_READ_VID, aacs->vid, NULL);
    if (error_code != AACS_SUCCESS) {
        DEBUG(DBG_AACS, "Error reading VID!\n");
    } else {
        /* cache vid */
        keycache_save("vid", aacs->disc_id, aacs->vid, 16);
543 544 545 546
    }
    return error_code;
}

npzacs's avatar
npzacs committed
547
static int _read_read_data_key(AACS *aacs, cert_list *hcl)
Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
548
{
npzacs's avatar
npzacs committed
549 550 551
    int error_code = _mmc_read_auth(aacs, hcl, MMC_READ_DATA_KEYS, aacs->read_data_key, NULL);
    if (error_code != AACS_SUCCESS) {
        DEBUG(DBG_AACS, "Error reading data keys!\n");
Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
552
    }
npzacs's avatar
npzacs committed
553 554
    return error_code;
}
Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
555

npzacs's avatar
npzacs committed
556 557 558 559 560
static int _read_pmsn(AACS *aacs, cert_list *hcl)
{
    int error_code = _mmc_read_auth(aacs, hcl, MMC_READ_PMSN, aacs->pmsn, NULL);
    if (error_code != AACS_SUCCESS) {
        DEBUG(DBG_AACS, "Error reading PMSN!\n");
Janusz Dziemidowicz's avatar
Janusz Dziemidowicz committed
561 562 563 564
    }
    return error_code;
}

565
static int _calc_vuk(AACS *aacs, uint8_t *mk, uint8_t *vuk, config_file *cf)
566
{
npzacs's avatar
npzacs committed
567 568
    int error_code;

569
    /* Skip if retrieved from config file */
570
    if (memcmp(vuk, empty_key, 16)) {
npzacs's avatar
npzacs committed
571 572 573
        DEBUG(DBG_AACS, "Using VUK from config file\n");
        return AACS_SUCCESS;
    }
574

npzacs's avatar
npzacs committed
575
    /* get cached vuk */
576
    if (keycache_find("vuk", aacs->disc_id, vuk, 16)) {
npzacs's avatar
npzacs committed
577
        DEBUG(DBG_AACS, "Using cached VUK\n");
npzacs's avatar
npzacs committed
578
        return AACS_SUCCESS;
npzacs's avatar
npzacs committed
579 580
    }

581 582 583 584
    if (!cf) {
        return AACS_ERROR_NO_CONFIG;
    }

585
    /* make sure we have media key */
586
    error_code = _calc_mk(aacs, mk, cf->pkl, cf->dkl);
npzacs's avatar
npzacs committed
587 588
    if (error_code != AACS_SUCCESS) {
        return error_code;
589 590
    }

npzacs's avatar
npzacs committed
591
    /* acquire VID */
592
    error_code = _read_vid(aacs, cf->host_cert_list);
npzacs's avatar
npzacs committed
593 594 595
    if (error_code != AACS_SUCCESS) {
        return error_code;
    }
596

npzacs's avatar
npzacs committed
597
    /* calculate VUK */
598

npzacs's avatar
npzacs committed
599
    crypto_aes128d(mk, aacs->vid, vuk);
600

npzacs's avatar
npzacs committed
601
    int a;
npzacs's avatar
npzacs committed
602
    for (a = 0; a < 16; a++) {
603
        vuk[a] ^= aacs->vid[a];
npzacs's avatar
npzacs committed
604
    }
605

npzacs's avatar
npzacs committed
606
    char str[40];
607
    DEBUG(DBG_AACS, "Volume unique key: %s\n", print_hex(str, vuk, 16));
608

npzacs's avatar
npzacs committed
609
    /* cache vuk */
610
    keycache_save("vuk", aacs->disc_id, vuk, 16);
npzacs's avatar
npzacs committed
611

npzacs's avatar
npzacs committed
612
    return AACS_SUCCESS;
cRTrn13's avatar
openssl  
cRTrn13 committed
613 614
}

615 616
static uint16_t _read_u16(AACS_FILE_H *fp)
{
npzacs's avatar
npzacs committed
617
  uint8_t data[2] = {0, 0};
618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663

  file_read(fp, data, sizeof(uint16_t));

  return MKINT_BE16(data);
}

static void _read_uks_map(AACS *aacs, AACS_FILE_H *fp)
{
    uint16_t first_play, top_menu;
    unsigned i;

    DEBUG(DBG_AACS, "Assigning CPS units to titles ...\n");

    X_FREE(aacs->cps_units);
    aacs->current_cps_unit = 0;

    file_seek(fp, 16 + 4, SEEK_SET);

    first_play = _read_u16(fp);
    top_menu   = _read_u16(fp);

    DEBUG(DBG_AACS, "Title FP : CPS unit %d\n", first_play);
    DEBUG(DBG_AACS, "Title TM : CPS unit %d\n", top_menu);

    aacs->num_titles   = _read_u16(fp);
    aacs->cps_units    = calloc(sizeof(uint16_t), aacs->num_titles + 2);
    aacs->cps_units[0] = first_play;
    aacs->cps_units[1] = top_menu;

    for (i = 2; i < aacs->num_titles + 2; i++) {
        _read_u16(fp); /* reserved */
        aacs->cps_units[i] = _read_u16(fp);
        DEBUG(DBG_AACS, "Title %02d : CPS unit %d\n", i - 1, aacs->cps_units[i]);
    }

    /* validate */
    for (i = 0; i < aacs->num_titles + 2; i++) {
        if (aacs->cps_units[i])
            aacs->cps_units[i]--; /* number [1...N] --> index [0...N-1] */
        if (aacs->cps_units[i] >= aacs->num_uks) {
            DEBUG(DBG_AACS, " *** Invalid CPS unit for title %d: %d !\n", (int) i - 1, aacs->cps_units[i]);
            aacs->cps_units[i] = 0;
        }
    }
}

npzacs's avatar
npzacs committed
664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679
static AACS_FILE_H *_open_unit_key_file(const char *path)
{
    AACS_FILE_H *fp;
    char        *f_name;

    f_name = str_printf("%s/AACS/Unit_Key_RO.inf", path);
    fp = file_open(f_name, "rb");

    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Error opening unit key file %s\n", f_name);
    }

    X_FREE(f_name);
    return fp;
}

680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695
static AACS_FILE_H *_open_content_certificate_file(const char *path)
{
    AACS_FILE_H *fp;
    char        *f_name;

    f_name = str_printf("%s/AACS/Content000.cer", path);
    fp = file_open(f_name, "rb");

    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Error opening content certificate file %s\n", f_name);
    }

    X_FREE(f_name);
    return fp;
}

npzacs's avatar
npzacs committed
696
/* Function that collects keys from keydb config entry */
697 698
static void _find_config_entry(AACS *aacs, title_entry_list *ce,
                               uint8_t *mk, uint8_t *vuk)
npzacs's avatar
npzacs committed
699 700 701 702 703 704 705
{
    char str[48];

    aacs->uks = NULL;
    aacs->num_uks = 0;

        while (ce && ce->entry.discid) {
npzacs's avatar
npzacs committed
706
            if (!memcmp(aacs->disc_id, ce->entry.discid, 20)) {
npzacs's avatar
npzacs committed
707
                DEBUG(DBG_AACS, "Found config entry for discid %s\n",
npzacs's avatar
npzacs committed
708
                      print_hex(str, ce->entry.discid, 20));
npzacs's avatar
npzacs committed
709 710 711 712 713 714 715 716 717 718
                break;
            }

            ce = ce->next;
        }
        if (!ce) {
            return;
        }

        if (ce->entry.mek) {
719
            hexstring_to_hex_array(mk, 16, ce->entry.mek);
npzacs's avatar
npzacs committed
720 721

            DEBUG(DBG_AACS, "Found media key for %s: %s\n",
722
                  ce->entry.discid, print_hex(str, mk, 16));
npzacs's avatar
npzacs committed
723 724 725 726 727 728 729 730 731 732 733
        }

        if (ce->entry.vid) {
            hexstring_to_hex_array(aacs->vid, sizeof(aacs->vid),
                                    ce->entry.vid);

            DEBUG(DBG_AACS, "Found volume id for %s: %s\n",
                  ce->entry.discid, print_hex(str, aacs->vid, 16));
        }

        if (ce->entry.vuk) {
734
            hexstring_to_hex_array(vuk, 16, ce->entry.vuk);
npzacs's avatar
npzacs committed
735 736

            DEBUG(DBG_AACS, "Found volume unique key for %s: %s\n",
737
                  ce->entry.discid, print_hex(str, vuk, 16));
npzacs's avatar
npzacs committed
738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759
        }

        if (ce->entry.uk) {
            DEBUG(DBG_AACS, "Acquire CPS unit keys from keydb config file...\n");

            digit_key_pair_list *ukcursor = ce->entry.uk;
            while (ukcursor && ukcursor->key_pair.key) {
                aacs->num_uks++;

                aacs->uks = (uint8_t*)realloc(aacs->uks, 16 * aacs->num_uks);
                hexstring_to_hex_array(aacs->uks + (16 * (aacs->num_uks - 1)), 16,
                                      ukcursor->key_pair.key);

                DEBUG(DBG_AACS, "Unit key %d from keydb entry: %s\n",
                      aacs->num_uks,
                      print_hex(str, aacs->uks + (16 * (aacs->num_uks - 1)), 16));

                ukcursor = ukcursor->next;
            }
        }
}

760
static int _calc_uks(AACS *aacs, config_file *cf)
cRTrn13's avatar
openssl  
cRTrn13 committed
761
{
762
    AACS_FILE_H *fp = NULL;
763
    uint8_t  buf[16];
764
    uint64_t f_pos;
765
    unsigned int i;
npzacs's avatar
npzacs committed
766
    int error_code;
cRTrn13's avatar
openssl  
cRTrn13 committed
767

768 769
    uint8_t mk[16] = {0}, vuk[16] = {0};

770 771 772
    if (cf) {
        DEBUG(DBG_AACS, "Searching for keydb config entry...\n");
        _find_config_entry(aacs, cf->list, mk, vuk);
773

774 775 776 777
        /* Skip if retrieved from config file */
        if (aacs->uks) {
            return AACS_SUCCESS;
        }
778
    }
779

780
    /* Make sure we have VUK */
781
    error_code = _calc_vuk(aacs, mk, vuk, cf);
npzacs's avatar
npzacs committed
782 783
    if (error_code != AACS_SUCCESS) {
        return error_code;
784
    }
785

786 787
    DEBUG(DBG_AACS, "Calculate CPS unit keys...\n");

npzacs's avatar
npzacs committed
788
    fp = _open_unit_key_file(aacs->path);
npzacs's avatar
npzacs committed
789 790 791
    if (!fp) {
        return AACS_ERROR_CORRUPTED_DISC;
    }
cRTrn13's avatar
openssl  
cRTrn13 committed
792

npzacs's avatar
npzacs committed
793 794
    if ((file_read(fp, buf, 4)) == 4) {
        f_pos = MKINT_BE32(buf);
npzacs's avatar
npzacs committed
795

npzacs's avatar
npzacs committed
796 797 798 799
        // Read number of keys
        file_seek(fp, f_pos, SEEK_SET);
        if ((file_read(fp, buf, 2)) == 2) {
            aacs->num_uks = MKINT_BE16(buf);
npzacs's avatar
npzacs committed
800

npzacs's avatar
npzacs committed
801 802
            X_FREE(aacs->uks);
            aacs->uks = calloc(aacs->num_uks, 16);
npzacs's avatar
npzacs committed
803

npzacs's avatar
npzacs committed
804
            DEBUG(DBG_AACS, "%d CPS unit keys\n", aacs->num_uks);
npzacs's avatar
npzacs committed
805

npzacs's avatar
npzacs committed
806 807 808 809 810
        } else {
            aacs->num_uks = 0;
            DEBUG(DBG_AACS | DBG_CRIT, "Error reading number of unit keys\n");
            error_code = AACS_ERROR_CORRUPTED_DISC;
        }
cRTrn13's avatar
openssl  
cRTrn13 committed
811

npzacs's avatar
npzacs committed
812 813 814
        // Read keys
        for (i = 0; i < aacs->num_uks; i++) {
            f_pos += 48;
cRTrn13's avatar
openssl  
cRTrn13 committed
815

npzacs's avatar
npzacs committed
816 817 818 819 820 821
            file_seek(fp, f_pos, SEEK_SET);
            if ((file_read(fp, buf, 16)) != 16) {
                DEBUG(DBG_AACS, "Unit key %d: read error\n", i);
                aacs->num_uks = i;
                error_code = AACS_ERROR_CORRUPTED_DISC;
                break;
npzacs's avatar
npzacs committed
822
            }
cRTrn13's avatar
openssl  
cRTrn13 committed
823

npzacs's avatar
npzacs committed
824
            crypto_aes128d(vuk, buf, aacs->uks + 16*i);
cRTrn13's avatar
openssl  
cRTrn13 committed
825

npzacs's avatar
npzacs committed
826 827 828
            char str[40];
            DEBUG(DBG_AACS, "Unit key %d: %s\n", i,
                  print_hex(str, aacs->uks + 16*i, 16));
829 830
        }

npzacs's avatar
npzacs committed
831 832 833
        /* failing next is not fatal, it just slows down things */
        _read_uks_map(aacs, fp);

834
        file_close(fp);
cRTrn13's avatar
openssl  
cRTrn13 committed
835

npzacs's avatar
npzacs committed
836 837 838 839 840 841 842
        return error_code;
    }

    file_close(fp);

    DEBUG(DBG_AACS | DBG_CRIT, "Error reading unit keys\n");
    return AACS_ERROR_CORRUPTED_DISC;
cRTrn13's avatar
openssl  
cRTrn13 committed
843 844
}

845 846
static int _calc_title_hash(const char *path, uint8_t *title_hash)
{
847
    AACS_FILE_H *fp = NULL;
848 849 850
    uint8_t *ukf_buf;
    char     str[48];
    int64_t  f_size;
npzacs's avatar
npzacs committed
851
    int      result = AACS_SUCCESS;
852

npzacs's avatar
npzacs committed
853 854 855
    fp = _open_unit_key_file(path);
    if (!fp) {
        return AACS_ERROR_CORRUPTED_DISC;
856 857 858 859 860 861 862 863
    }

    file_seek(fp, 0, SEEK_END);
    f_size = file_tell(fp);
    file_seek(fp, 0, SEEK_SET);

    ukf_buf = malloc(f_size);

npzacs's avatar
npzacs committed
864 865 866
    if ((file_read(fp, ukf_buf, f_size)) == f_size) {
        crypto_aacs_title_hash(ukf_buf, f_size, title_hash);
        DEBUG(DBG_AACS, "Disc ID: %s\n", print_hex(str, title_hash, 20));
cRTrn13's avatar
cRTrn13 committed
867

npzacs's avatar
npzacs committed
868 869
    } else {
        result = AACS_ERROR_CORRUPTED_DISC;
npzacs's avatar
npzacs committed
870
        DEBUG(DBG_AACS | DBG_CRIT, "Failed to read %lu bytes from unit key file %s/AACS/Unit_Key_RO.inf", (unsigned long)f_size, path);
871 872 873 874 875
    }

    file_close(fp);
    X_FREE(ukf_buf);

npzacs's avatar
npzacs committed
876
    return result;
877
}
cRTrn13's avatar
cRTrn13 committed
878

879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922
static int _get_bus_encryption_enabled(const char *path)
{
    AACS_FILE_H *fp = NULL;
    uint8_t buf[2];
    int bee = 0;

    fp = _open_content_certificate_file(path);
    if (!fp) {
        DEBUG(DBG_AACS | DBG_CRIT, "Unable to open content certificate\n");
        return 0;
    }

    if (file_read(fp, buf, 2) == 2) {
        bee = (buf[1] & 0x80) >> 7;
        DEBUG(DBG_AACS, "Bus Encryption Enabled flag in content certificate: %d\n", bee);
    } else {
        DEBUG(DBG_AACS | DBG_CRIT, "Failed to read Bus Encryption Enabled flag from content certificate file\n");
    }

    file_close(fp);
    return bee;
}

static int _get_bus_encryption_capable(const char *path)
{
    MMC* mmc = NULL;
    uint8_t drive_cert[92];
    int bec = 0;

    if (!(mmc = mmc_open(path))) {
        return 0;
    }

    if (mmc_read_drive_cert(mmc, drive_cert) == MMC_SUCCESS) {
        bec = drive_cert[1] & 1;
        DEBUG(DBG_AACS, "Bus Encryption Capable flag in drive certificate: %d\n", bec);
    } else {
        DEBUG(DBG_AACS | DBG_CRIT, "Unable to read drive certificate\n");
    }

    mmc_close(mmc);
    return bec;
}

npzacs's avatar
npzacs committed
923
static int _verify_ts(uint8_t *buf, size_t size)
924
{
925 926
    uint8_t *ptr;

cRTrn13's avatar
cRTrn13 committed
927 928 929 930 931 932 933
    if (size < 192) {
        return 1;
    }

    for (ptr=buf; ptr < buf+192; ptr++) {
        int failed = 0;
        if (*ptr == 0x47) {
934 935 936 937
            uint8_t *ptr2;

            for (ptr2=ptr; ptr2 < buf + size; ptr2 += 192) {
                if (*ptr2 != 0x47) {
cRTrn13's avatar
cRTrn13 committed
938 939
                    failed = 1;
                    break;
940 941
                }
            }
cRTrn13's avatar
cRTrn13 committed
942 943 944
            if (!failed) {
                return 1;
            }
945 946 947 948
        }
        ptr++;
    }

cRTrn13's avatar
cRTrn13 committed
949
    DEBUG(DBG_AACS, "Failed to verify TS!\n");
950

cRTrn13's avatar
cRTrn13 committed
951
    return 0;
952 953
}

954
#define ALIGNED_UNIT_LEN 6144
955
static int _decrypt_unit(AACS *aacs, uint8_t *out_buf, const uint8_t *in_buf, uint32_t curr_uk)
cRTrn13's avatar
cRTrn13 committed
956
{
957 958
    gcry_cipher_hd_t gcry_h;
    int a;
959
    uint8_t key[16];
960 961 962

    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0);
    gcry_cipher_setkey(gcry_h, aacs->uks + curr_uk * 16, 16);
963
    gcry_cipher_encrypt(gcry_h, key, 16, in_buf, 16);
964
    gcry_cipher_close(gcry_h);
cRTrn13's avatar
cRTrn13 committed
965

cRTrn13's avatar
cRTrn13 committed
966
    for (a = 0; a < 16; a++) {
967
        key[a] ^= in_buf[a];
cRTrn13's avatar
cRTrn13 committed
968 969
    }

970 971
    memcpy(out_buf, in_buf, 16); /* first 16 bytes are plain */

972 973
    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
    gcry_cipher_setkey(gcry_h, key, 16);
974
    gcry_cipher_setiv(gcry_h, aacs_iv, 16);
975
    gcry_cipher_decrypt(gcry_h, out_buf + 16, ALIGNED_UNIT_LEN - 16, in_buf + 16, ALIGNED_UNIT_LEN - 16);
976
    gcry_cipher_close(gcry_h);
cRTrn13's avatar
cRTrn13 committed
977

978
    if (_verify_ts(out_buf, ALIGNED_UNIT_LEN)) {
cRTrn13's avatar
cRTrn13 committed
979 980 981
        return 1;
    }

982
    if (curr_uk < aacs->num_uks - 1) {
983
        return _decrypt_unit(aacs, out_buf, in_buf, curr_uk++);
npzacs's avatar
npzacs committed
984 985
    }

cRTrn13's avatar
cRTrn13 committed
986 987 988
    return 0;
}

989
#define SECTOR_LEN 2048
990
static void _decrypt_bus(AACS *aacs, uint8_t *buf)
991 992 993 994 995
{
    gcry_cipher_hd_t gcry_h;

    gcry_cipher_open(&gcry_h, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
    gcry_cipher_setkey(gcry_h, aacs->read_data_key, 16);
996
    gcry_cipher_setiv(gcry_h, aacs_iv, 16);
997
    gcry_cipher_decrypt(gcry_h, buf + 16, SECTOR_LEN - 16, NULL, 0);
998 999 1000
    gcry_cipher_close(gcry_h);
}

npzacs's avatar
npzacs committed
1001 1002
void aacs_get_version(int *major, int *minor, int *micro)
{
npzacs's avatar
npzacs committed
1003 1004 1005
    *major = AACS_VERSION_MAJOR;
    *minor = AACS_VERSION_MINOR;
    *micro = AACS_VERSION_MICRO;
npzacs's avatar
npzacs committed
1006 1007
}

npzacs's avatar
npzacs committed
1008
/* aacs_open2() wrapper for backwards compability */