xref: /aosp_15_r20/external/lzma/CPP/7zip/Crypto/Rar5Aes.cpp (revision f6dc9357d832569d4d1f5d24eacdb3935a1ae8e6) 
1 // Crypto/Rar5Aes.cpp
2 
3 #include "StdAfx.h"
4 
5 #include "../../../C/CpuArch.h"
6 
7 #ifndef Z7_ST
8 #include "../../Windows/Synchronization.h"
9 #endif
10 
11 #include "HmacSha256.h"
12 #include "Rar5Aes.h"
13 
14 #define MY_ALIGN_FOR_SHA256  MY_ALIGN(16)
15 
16 namespace NCrypto {
17 namespace NRar5 {
18 
19 static const unsigned kNumIterationsLog_Max = 24;
20 static const unsigned kPswCheckCsumSize32 = 1;
21 static const unsigned kCheckSize32 = kPswCheckSize32 + kPswCheckCsumSize32;
22 
CKey()23 CKey::CKey():
24     _needCalc(true),
25     _numIterationsLog(0)
26 {
27   for (unsigned i = 0; i < sizeof(_salt); i++)
28     _salt[i] = 0;
29 }
30 
~CKey()31 CKey::~CKey()
32 {
33   Wipe();
34 }
35 
Wipe()36 void CKey::Wipe()
37 {
38   _password.Wipe();
39   Z7_memset_0_ARRAY(_salt);
40   // Z7_memset_0_ARRAY(_key32);
41   // Z7_memset_0_ARRAY(_check_Calced32);
42   // Z7_memset_0_ARRAY(_hashKey32);
43   CKeyBase::Wipe();
44 }
45 
CDecoder()46 CDecoder::CDecoder(): CAesCbcDecoder(kAesKeySize) {}
47 
ReadVarInt(const Byte * p,unsigned maxSize,UInt64 * val)48 static unsigned ReadVarInt(const Byte *p, unsigned maxSize, UInt64 *val)
49 {
50   *val = 0;
51   for (unsigned i = 0; i < maxSize && i < 10;)
52   {
53     const Byte b = p[i];
54     *val |= (UInt64)(b & 0x7F) << (7 * i);
55     i++;
56     if ((b & 0x80) == 0)
57       return i;
58   }
59   return 0;
60 }
61 
SetDecoderProps(const Byte * p,unsigned size,bool includeIV,bool isService)62 HRESULT CDecoder::SetDecoderProps(const Byte *p, unsigned size, bool includeIV, bool isService)
63 {
64   UInt64 Version;
65 
66   unsigned num = ReadVarInt(p, size, &Version);
67   if (num == 0)
68     return E_NOTIMPL;
69   p += num;
70   size -= num;
71 
72   if (Version != 0)
73     return E_NOTIMPL;
74 
75   num = ReadVarInt(p, size, &Flags);
76   if (num == 0)
77     return E_NOTIMPL;
78   p += num;
79   size -= num;
80 
81   bool isCheck = IsThereCheck();
82   if (size != 1 + kSaltSize + (includeIV ? AES_BLOCK_SIZE : 0) + (unsigned)(isCheck ? kCheckSize32 * 4 : 0))
83     return E_NOTIMPL;
84 
85   if (_numIterationsLog != p[0])
86   {
87     _numIterationsLog = p[0];
88     _needCalc = true;
89   }
90 
91   p++;
92 
93   if (memcmp(_salt, p, kSaltSize) != 0)
94   {
95     memcpy(_salt, p, kSaltSize);
96     _needCalc = true;
97   }
98 
99   p += kSaltSize;
100 
101   if (includeIV)
102   {
103     memcpy(_iv, p, AES_BLOCK_SIZE);
104     p += AES_BLOCK_SIZE;
105   }
106 
107   _canCheck = true;
108 
109   if (isCheck)
110   {
111     memcpy(_check32, p, sizeof(_check32));
112     MY_ALIGN_FOR_SHA256
113     CSha256 sha;
114     MY_ALIGN_FOR_SHA256
115     Byte digest[SHA256_DIGEST_SIZE];
116     Sha256_Init(&sha);
117     Sha256_Update(&sha, (const Byte *)_check32, sizeof(_check32));
118     Sha256_Final(&sha, digest);
119     _canCheck = (memcmp(digest, p + sizeof(_check32), kPswCheckCsumSize32 * 4) == 0);
120     if (_canCheck && isService)
121     {
122       // There was bug in RAR 5.21- : PswCheck field in service records ("QO") contained zeros.
123       // so we disable password checking for such bad records.
124       _canCheck = false;
125       for (unsigned i = 0; i < kPswCheckSize32 * 4; i++)
126         if (p[i] != 0)
127         {
128           _canCheck = true;
129           break;
130         }
131     }
132   }
133 
134   return (_numIterationsLog <= kNumIterationsLog_Max ? S_OK : E_NOTIMPL);
135 }
136 
137 
SetPassword(const Byte * data,size_t size)138 void CDecoder::SetPassword(const Byte *data, size_t size)
139 {
140   if (size != _password.Size() || memcmp(data, _password, size) != 0)
141   {
142     _needCalc = true;
143     _password.Wipe();
144     _password.CopyFrom(data, size);
145   }
146 }
147 
148 
Z7_COM7F_IMF(CDecoder::Init ())149 Z7_COM7F_IMF(CDecoder::Init())
150 {
151   CalcKey_and_CheckPassword();
152   RINOK(SetKey((const Byte *)_key32, kAesKeySize))
153   RINOK(SetInitVector(_iv, AES_BLOCK_SIZE))
154   return CAesCoder::Init();
155 }
156 
157 
Hmac_Convert_Crc32(UInt32 crc) const158 UInt32 CDecoder::Hmac_Convert_Crc32(UInt32 crc) const
159 {
160   MY_ALIGN_FOR_SHA256
161   NSha256::CHmac ctx;
162   ctx.SetKey((const Byte *)_hashKey32, NSha256::kDigestSize);
163   UInt32 v;
164   SetUi32a(&v, crc)
165   ctx.Update((const Byte *)&v, 4);
166   MY_ALIGN_FOR_SHA256
167   UInt32 h[SHA256_NUM_DIGEST_WORDS];
168   ctx.Final((Byte *)h);
169   crc = 0;
170   for (unsigned i = 0; i < SHA256_NUM_DIGEST_WORDS; i++)
171     crc ^= (UInt32)GetUi32a(h + i);
172   return crc;
173 }
174 
175 
Hmac_Convert_32Bytes(Byte * data) const176 void CDecoder::Hmac_Convert_32Bytes(Byte *data) const
177 {
178   MY_ALIGN_FOR_SHA256
179   NSha256::CHmac ctx;
180   ctx.SetKey((const Byte *)_hashKey32, NSha256::kDigestSize);
181   ctx.Update(data, NSha256::kDigestSize);
182   ctx.Final(data);
183 }
184 
185 
186 static CKey g_Key;
187 
188 #ifndef Z7_ST
189   static NWindows::NSynchronization::CCriticalSection g_GlobalKeyCacheCriticalSection;
190   #define MT_LOCK NWindows::NSynchronization::CCriticalSectionLock lock(g_GlobalKeyCacheCriticalSection);
191 #else
192   #define MT_LOCK
193 #endif
194 
CalcKey_and_CheckPassword()195 bool CDecoder::CalcKey_and_CheckPassword()
196 {
197   if (_needCalc)
198   {
199     {
200       MT_LOCK
201       if (!g_Key._needCalc && IsKeyEqualTo(g_Key))
202       {
203         CopyCalcedKeysFrom(g_Key);
204         _needCalc = false;
205       }
206     }
207 
208     if (_needCalc)
209     {
210       MY_ALIGN_FOR_SHA256
211       UInt32 pswCheck[SHA256_NUM_DIGEST_WORDS];
212       {
213         // Pbkdf HMAC-SHA-256
214         MY_ALIGN_FOR_SHA256
215         NSha256::CHmac baseCtx;
216         baseCtx.SetKey(_password, _password.Size());
217         MY_ALIGN_FOR_SHA256
218         NSha256::CHmac ctx;
219         ctx = baseCtx;
220         ctx.Update(_salt, sizeof(_salt));
221 
222         MY_ALIGN_FOR_SHA256
223         UInt32 u[SHA256_NUM_DIGEST_WORDS];
224         MY_ALIGN_FOR_SHA256
225         UInt32 key[SHA256_NUM_DIGEST_WORDS];
226 
227         // u[0] = 0;
228         // u[1] = 0;
229         // u[2] = 0;
230         // u[3] = 1;
231         SetUi32a(u, 0x1000000)
232 
233         ctx.Update((const Byte *)(const void *)u, 4);
234         ctx.Final((Byte *)(void *)u);
235 
236         memcpy(key, u, NSha256::kDigestSize);
237 
238         UInt32 numIterations = ((UInt32)1 << _numIterationsLog) - 1;
239 
240         for (unsigned i = 0; i < 3; i++)
241         {
242           for (; numIterations != 0; numIterations--)
243           {
244             ctx = baseCtx;
245             ctx.Update((const Byte *)(const void *)u, NSha256::kDigestSize);
246             ctx.Final((Byte *)(void *)u);
247             for (unsigned s = 0; s < Z7_ARRAY_SIZE(u); s++)
248               key[s] ^= u[s];
249           }
250 
251           // RAR uses additional iterations for additional keys
252           memcpy(i == 0 ? _key32 : i == 1 ? _hashKey32 : pswCheck,
253               key, NSha256::kDigestSize);
254           numIterations = 16;
255         }
256       }
257      _check_Calced32[0] = pswCheck[0] ^ pswCheck[2] ^ pswCheck[4] ^ pswCheck[6];
258      _check_Calced32[1] = pswCheck[1] ^ pswCheck[3] ^ pswCheck[5] ^ pswCheck[7];
259       _needCalc = false;
260       {
261         MT_LOCK
262         g_Key = *this;
263       }
264     }
265   }
266 
267   if (IsThereCheck() && _canCheck)
268     return memcmp(_check_Calced32, _check32, sizeof(_check32)) == 0;
269   return true;
270 }
271 
272 }}
273