Petri Hintukainen pushed to branch master at VideoLAN / libaacs
Commits:
0a13b930 by npzacs at 2021-05-04T17:46:29+03:00
Remove double logging
- - - - -
d962a0dc by npzacs at 2021-05-04T17:49:57+03:00
Check crypto_aacs_sign() result
- - - - -
53e37d59 by npzacs at 2021-05-04T18:00:03+03:00
Query drive bus encryption capability only when needed
Faster start with MacOS:
- saves one mount/unmount when disc does not use bus encryption.
=> lot faster startup when disc keys are already cached.
- - - - -
4 changed files:
- src/libaacs/aacs.c
- src/libaacs/crypto.c
- src/libaacs/crypto.h
- src/libaacs/mmc.c
Changes:
=====================================
src/libaacs/aacs.c
=====================================
@@ -75,7 +75,7 @@ struct aacs {
/* bus encryption */
int bee; /* bus encryption enabled flag in content
certificate */
- int bec; /* bus encryption capable flag in drive certificate
*/
+ int bec; /* bus encryption capable flag in drive certificate.
-1 = unread. */
uint8_t read_data_key[16];
uint8_t drive_cert_hash[20];
@@ -1317,6 +1317,8 @@ int aacs_open_device(AACS *aacs, const char *path, const
char *configfile_path)
aacs->path = path ? str_dup(path) : NULL;
aacs->cc = _read_cc_any(aacs);
+ aacs->bee = _get_bus_encryption_enabled(aacs);
+ aacs->bec = -1;
error_code = _calc_title_hash(aacs);
if (error_code != AACS_SUCCESS) {
@@ -1331,18 +1333,20 @@ int aacs_open_device(AACS *aacs, const char *path,
const char *configfile_path)
BD_DEBUG(DBG_AACS, "Failed to initialize AACS!\n");
}
- aacs->bee = _get_bus_encryption_enabled(aacs);
- aacs->bec = _get_bus_encryption_capable(aacs, path);
-
- if (error_code == AACS_SUCCESS && aacs->bee && aacs->bec) {
+ if (error_code == AACS_SUCCESS && aacs->bee) {
if (!cf) {
return AACS_ERROR_NO_CONFIG;
}
+ if (aacs->bec < 0) {
+ aacs->bec = _get_bus_encryption_capable(aacs, path);
+ }
+ if (aacs->bec > 0) {
error_code = _read_read_data_key(aacs, cf->host_cert_list);
if (error_code != AACS_SUCCESS) {
BD_DEBUG(DBG_AACS | DBG_CRIT, "Unable to initialize bus encryption
required by drive and disc\n");
+ }
}
}
@@ -1374,7 +1378,7 @@ void aacs_close(AACS *aacs)
static void _decrypt_unit_bus(AACS *aacs, uint8_t *buf)
{
- if (aacs->bee && aacs->bec) {
+ if (aacs->bee && aacs->bec > 0) {
unsigned int i;
int crypto_err;
for (i = 0; i < ALIGNED_UNIT_LEN; i += SECTOR_LEN) {
@@ -1636,6 +1640,9 @@ void aacs_free_rl(AACS_RL_ENTRY **rl)
uint32_t aacs_get_bus_encryption(AACS *aacs)
{
+ if (aacs->bec < 0) {
+ aacs->bec = _get_bus_encryption_capable(aacs, aacs->path);
+ }
return (aacs->bee * AACS_BUS_ENCRYPTION_ENABLED) |
(aacs->bec * AACS_BUS_ENCRYPTION_CAPABLE);
}
=====================================
src/libaacs/crypto.c
=====================================
@@ -429,7 +429,6 @@ static gcry_error_t _aacs_sexp_key(gcry_sexp_t *p_sexp_key,
);
if (!strfmt) {
- BD_DEBUG(DBG_AACS | DBG_CRIT, "out of memory\n");
err = GPG_ERR_ENOMEM;
goto error;
}
@@ -558,8 +557,8 @@ error:
*
*/
-void crypto_aacs_sign(const uint8_t *cert, const uint8_t *priv_key, uint8_t
*signature,
- const uint8_t *nonce, const uint8_t *point)
+int crypto_aacs_sign(const uint8_t *cert, const uint8_t *priv_key, uint8_t
*signature,
+ const uint8_t *nonce, const uint8_t *point)
{
gcry_sexp_t sexp_key = NULL, sexp_data = NULL, sexp_sig = NULL, sexp_r =
NULL, sexp_s = NULL;
gcry_mpi_t mpi_r = NULL, mpi_s = NULL;
@@ -628,6 +627,8 @@ void crypto_aacs_sign(const uint8_t *cert, const uint8_t
*priv_key, uint8_t *sig
gcry_sexp_release(sexp_s);
gcry_mpi_release(mpi_r);
gcry_mpi_release(mpi_s);
+
+ return err;
}
static int _aacs_verify(const uint8_t *signature, enum gcry_md_algos hash_type,
=====================================
src/libaacs/crypto.h
=====================================
@@ -41,9 +41,9 @@ BD_PRIVATE int crypto_aes_cmac_16(const unsigned char *data,
const unsigned cha
BD_PRIVATE int crypto_aacs_decrypt(const uint8_t *key, uint8_t *out, size_t
out_size, const uint8_t *in, size_t in_size) BD_USED;
-BD_PRIVATE void crypto_aacs_sign(const uint8_t *cert, const uint8_t *priv_key,
+BD_PRIVATE int crypto_aacs_sign(const uint8_t *cert, const uint8_t *priv_key,
uint8_t *signature,
- const uint8_t *nonce, const uint8_t *point);
+ const uint8_t *nonce, const uint8_t *point)
BD_USED;
BD_PRIVATE void crypto_aacs_title_hash(const uint8_t *ukf, uint64_t len,
uint8_t *hash);
BD_PRIVATE int crypto_aacs_verify(const uint8_t *cert, const uint8_t
*signature, const uint8_t *data, uint32_t len) BD_USED;
=====================================
src/libaacs/mmc.c
=====================================
@@ -446,6 +446,7 @@ static int _mmc_aacs_auth(MMC *mmc, uint8_t agid, const
uint8_t *host_priv_key,
{
uint8_t hks[40], dn[20], dkp[40], dks[40];
char str[512];
+ int crypto_error;
memset(hks, 0, sizeof(hks));
@@ -504,8 +505,11 @@ static int _mmc_aacs_auth(MMC *mmc, uint8_t agid, const
uint8_t *host_priv_key,
}
// sign
- crypto_aacs_sign(host_cert, host_priv_key, hks, dn,
- mmc->host_key_point);
+ crypto_error = crypto_aacs_sign(host_cert, host_priv_key, hks, dn,
mmc->host_key_point);
+ if (crypto_error) {
+ LOG_CRYPTO_ERROR(DBG_MMC, "Signing failed", crypto_error);
+ return MMC_ERROR;
+ }
// verify own signature
if (!_verify_signature(host_cert, hks, dn, mmc->host_key_point)) {
View it on GitLab:
https://code.videolan.org/videolan/libaacs/-/compare/92857350477c35882d9ad12ea3e0903ad2aac77d...53e37d597fb15a2d3a7cb9a90056d84caf685195
--
View it on GitLab:
https://code.videolan.org/videolan/libaacs/-/compare/92857350477c35882d9ad12ea3e0903ad2aac77d...53e37d597fb15a2d3a7cb9a90056d84caf685195
You're receiving this email because of your account on code.videolan.org.
_______________________________________________
libaacs-devel mailing list
libaacs-devel@videolan.org
https://mailman.videolan.org/listinfo/libaacs-devel
