mirror of
https://github.com/Atmosphere-NX/Atmosphere.git
synced 2025-01-11 03:46:22 +00:00
Fix AES-GCM code.
This commit is contained in:
parent
8e5228866c
commit
7e780301de
2 changed files with 25 additions and 22 deletions
|
@ -22,7 +22,6 @@ static void shl_128(uint64_t *val) {
|
||||||
val[0] <<= 1;
|
val[0] <<= 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Multiplies two 128-bit numbers X,Y in the GF(128) Galois Field. */
|
/* Multiplies two 128-bit numbers X,Y in the GF(128) Galois Field. */
|
||||||
static void gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) {
|
static void gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) {
|
||||||
uint8_t x_work[0x10];
|
uint8_t x_work[0x10];
|
||||||
|
@ -59,14 +58,12 @@ static void gf128_mul(uint8_t *dst, const uint8_t *x, const uint8_t *y) {
|
||||||
|
|
||||||
/* Performs an AES-GCM GHASH operation over the data into dst. */
|
/* Performs an AES-GCM GHASH operation over the data into dst. */
|
||||||
static void ghash(void *dst, const void *data, size_t data_size, const void *j_block, bool encrypt) {
|
static void ghash(void *dst, const void *data, size_t data_size, const void *j_block, bool encrypt) {
|
||||||
uint8_t x[0x10];
|
uint8_t x[0x10] = {0};
|
||||||
uint8_t h[0x10];
|
uint8_t h[0x10];
|
||||||
|
|
||||||
uint64_t *p_x = (uint64_t *)(&x[0]);
|
uint64_t *p_x = (uint64_t *)(&x[0]);
|
||||||
uint64_t *p_data = (uint64_t *)data;
|
uint64_t *p_data = (uint64_t *)data;
|
||||||
|
|
||||||
memset(x, 0, 0x10);
|
|
||||||
|
|
||||||
/* H = aes_ecb_encrypt(zeroes) */
|
/* H = aes_ecb_encrypt(zeroes) */
|
||||||
se_aes_128_ecb_encrypt_block(KEYSLOT_SWITCH_TEMPKEY, h, 0x10, x, 0x10);
|
se_aes_128_ecb_encrypt_block(KEYSLOT_SWITCH_TEMPKEY, h, 0x10, x, 0x10);
|
||||||
|
|
||||||
|
@ -76,7 +73,6 @@ static void ghash(void *dst, const void *data, size_t data_size, const void *j_b
|
||||||
/* X = (X ^ current_block) * H */
|
/* X = (X ^ current_block) * H */
|
||||||
p_x[0] ^= p_data[0];
|
p_x[0] ^= p_data[0];
|
||||||
p_x[1] ^= p_data[1];
|
p_x[1] ^= p_data[1];
|
||||||
|
|
||||||
gf128_mul(x, x, h);
|
gf128_mul(x, x, h);
|
||||||
|
|
||||||
/* Increment p_data by 0x10 bytes. */
|
/* Increment p_data by 0x10 bytes. */
|
||||||
|
@ -91,11 +87,14 @@ static void ghash(void *dst, const void *data, size_t data_size, const void *j_b
|
||||||
gf128_mul(x, x, h);
|
gf128_mul(x, x, h);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
uint64_t xor_size = total_size << 3;
|
||||||
|
xor_size = __builtin_bswap64(xor_size);
|
||||||
|
|
||||||
/* Due to a Nintendo bug, the wrong QWORD gets XOR'd in the "final output block" case. */
|
/* Due to a Nintendo bug, the wrong QWORD gets XOR'd in the "final output block" case. */
|
||||||
if (encrypt) {
|
if (encrypt) {
|
||||||
p_x[1] ^= (uint64_t)(total_size << 3);
|
p_x[0] ^= xor_size;
|
||||||
} else {
|
} else {
|
||||||
p_x[0] ^= (uint64_t)(total_size << 3);
|
p_x[1] ^= xor_size;
|
||||||
}
|
}
|
||||||
|
|
||||||
gf128_mul(x, x, h);
|
gf128_mul(x, x, h);
|
||||||
|
@ -107,7 +106,6 @@ static void ghash(void *dst, const void *data, size_t data_size, const void *j_b
|
||||||
x[i] ^= h[i];
|
x[i] ^= h[i];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Copy output. */
|
/* Copy output. */
|
||||||
memcpy(dst, x, 0x10);
|
memcpy(dst, x, 0x10);
|
||||||
}
|
}
|
||||||
|
@ -126,16 +124,19 @@ size_t gcm_decrypt_key(void *dst, size_t dst_size, const void *src, size_t src_s
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
uint8_t intermediate_buf[0x400] = {0};
|
||||||
|
|
||||||
/* Unwrap the key */
|
/* Unwrap the key */
|
||||||
unseal_key(KEYSLOT_SWITCH_TEMPKEY, sealed_kek, kek_size, usecase);
|
unseal_key(KEYSLOT_SWITCH_TEMPKEY, sealed_kek, kek_size, usecase);
|
||||||
decrypt_data_into_keyslot(KEYSLOT_SWITCH_TEMPKEY, KEYSLOT_SWITCH_TEMPKEY, wrapped_key, key_size);
|
decrypt_data_into_keyslot(KEYSLOT_SWITCH_TEMPKEY, KEYSLOT_SWITCH_TEMPKEY, wrapped_key, key_size);
|
||||||
|
|
||||||
/* Decrypt the GCM keypair, AES-CTR with CTR = blob[:0x10]. */
|
/* Decrypt the GCM keypair, AES-CTR with CTR = blob[:0x10]. */
|
||||||
se_aes_ctr_crypt(KEYSLOT_SWITCH_TEMPKEY, dst, dst_size, src + 0x10, src_size - 0x10, src, 0x10);
|
se_aes_ctr_crypt(KEYSLOT_SWITCH_TEMPKEY, intermediate_buf, dst_size, src + 0x10, src_size - 0x10, src, 0x10);
|
||||||
|
|
||||||
|
|
||||||
if (!is_personalized) {
|
if (!is_personalized) {
|
||||||
/* Devkit non-personalized keys have no further authentication. */
|
/* Devkit non-personalized keys have no further authentication. */
|
||||||
|
memcpy(dst, intermediate_buf, src_size - 0x10);
|
||||||
|
memset(intermediate_buf, 0, sizeof(intermediate_buf));
|
||||||
return src_size - 0x10;
|
return src_size - 0x10;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -147,7 +148,7 @@ size_t gcm_decrypt_key(void *dst, size_t dst_size, const void *src, size_t src_s
|
||||||
/* Note: That MAC is calculated over plaintext is non-standard. */
|
/* Note: That MAC is calculated over plaintext is non-standard. */
|
||||||
/* It is supposed to be over the ciphertext. */
|
/* It is supposed to be over the ciphertext. */
|
||||||
uint8_t calc_mac[0x10];
|
uint8_t calc_mac[0x10];
|
||||||
ghash(calc_mac, dst, src_size - 0x20, j_block, true);
|
ghash(calc_mac, intermediate_buf, src_size - 0x20, j_block, true);
|
||||||
|
|
||||||
/* Const-time memcmp. */
|
/* Const-time memcmp. */
|
||||||
const uint8_t *src_bytes = src;
|
const uint8_t *src_bytes = src;
|
||||||
|
@ -159,9 +160,11 @@ size_t gcm_decrypt_key(void *dst, size_t dst_size, const void *src, size_t src_s
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (read64le(src_bytes, src_size - 0x28) != fuse_get_device_id()) {
|
if ((read64be(intermediate_buf, src_size - 0x28) & 0x00FFFFFFFFFFFFFFULL) != fuse_get_device_id()) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
memcpy(dst, intermediate_buf, src_size - 0x30);
|
||||||
|
memset(intermediate_buf, 0, sizeof(intermediate_buf));
|
||||||
return src_size - 0x30;
|
return src_size - 0x30;
|
||||||
}
|
}
|
||||||
|
|
|
@ -78,7 +78,7 @@ static inline uint64_t read64le(const volatile void *qword, size_t offset) {
|
||||||
return *(uint64_t *)((uintptr_t)qword + offset);
|
return *(uint64_t *)((uintptr_t)qword + offset);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline uint32_t read64be(const volatile void *qword, size_t offset) {
|
static inline uint64_t read64be(const volatile void *qword, size_t offset) {
|
||||||
return __builtin_bswap64(read64le(qword, offset));
|
return __builtin_bswap64(read64le(qword, offset));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue