From 5757ba20de28000981a419bfcf63b1f658b20528 Mon Sep 17 00:00:00 2001 From: jakcron Date: Sun, 28 May 2017 20:46:30 +0800 Subject: [PATCH] [makerom] Fix encryption for production target. --- makerom/accessdesc.c | 10 ++++------ makerom/keyset.c | 2 +- makerom/keyset.h | 1 - makerom/ncch.c | 16 ++++++++++------ makerom/ncsd.c | 8 ++++---- makerom/tik.c | 5 +++-- makerom/tmd.c | 5 +++-- 7 files changed, 25 insertions(+), 22 deletions(-) diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c index 20c4e87..0e44788 100644 --- a/makerom/accessdesc.c +++ b/makerom/accessdesc.c @@ -23,10 +23,7 @@ int set_AccessDesc(exheader_settings *exhdrset) return accessdesc_GetSignFromPreset(exhdrset); else if(exhdrset->rsf->CommonHeaderKey.Found == true) // Keydata exists in RSF return accessdesc_GetSignFromRsf(exhdrset); - else if (Rsa2048Key_CanSign(&exhdrset->keys->rsa.acex) == false) // sign using rsa key - return accessdesc_SignWithKey(exhdrset); - - return 1; + return accessdesc_SignWithKey(exhdrset); } int accessdesc_SignWithKey(exheader_settings *exhdrset) @@ -48,13 +45,14 @@ int accessdesc_SignWithKey(exheader_settings *exhdrset) arm11->threadPriority /= 2; /* Sign AccessDesc */ - if (SignAccessDesc(exhdrset->acexDesc, exhdrset->keys) != 0) + if (Rsa2048Key_CanSign(&exhdrset->keys->rsa.acex) == false) { printf("[ACEXDESC WARNING] Failed to sign access descriptor\n"); memset(exhdrset->acexDesc->signature, 0xFF, 0x100); + return 0; } - return 0; + return SignAccessDesc(exhdrset->acexDesc, exhdrset->keys); } int accessdesc_GetSignFromRsf(exheader_settings *exhdrset) diff --git a/makerom/keyset.c b/makerom/keyset.c index dbdec4d..19887fb 100644 --- a/makerom/keyset.c +++ b/makerom/keyset.c @@ -391,5 +391,5 @@ void Rsa2048Key_Set(rsa2048_key* key, const u8* pvt, const u8* pub) bool Rsa2048Key_CanSign(const rsa2048_key* key) { static const u8 rsa2048[RSA_2048_KEY_SIZE] = { 0 }; - return memcmp(key->pub, rsa2048, RSA_2048_KEY_SIZE) != 0 || memcmp(key->pvt, rsa2048, RSA_2048_KEY_SIZE) != 0; + return memcmp(key->pub, rsa2048, RSA_2048_KEY_SIZE) != 0 && memcmp(key->pvt, rsa2048, RSA_2048_KEY_SIZE) != 0; } \ No newline at end of file diff --git a/makerom/keyset.h b/makerom/keyset.h index ba3f874..2a35b38 100644 --- a/makerom/keyset.h +++ b/makerom/keyset.h @@ -30,7 +30,6 @@ typedef enum } pki_keyset; // Structs - typedef struct { u8 *pub; diff --git a/makerom/ncch.c b/makerom/ncch.c index af7996e..d054cac 100644 --- a/makerom/ncch.c +++ b/makerom/ncch.c @@ -36,27 +36,31 @@ bool IsValidProductCode(char *ProductCode, bool FreeProductCode); // Code int SignCFA(ncch_hdr *hdr, keys_struct *keys) { - if (RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0) + if (Rsa2048Key_CanSign(&keys->rsa.cciCfa) == false) { printf("[NCCH WARNING] Failed to sign CFA header\n"); memset(GetNcchHdrSig(hdr), 0xFF, 0x100); + return 0; } - return 0; + + return RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN); } int CheckCFASignature(ncch_hdr *hdr, keys_struct *keys) { - return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfa.pub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY); + return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256,CTR_RSA_VERIFY); } int SignCXI(ncch_hdr *hdr, keys_struct *keys) { - if (RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cxi.pub, keys->rsa.cxi.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0) + if (Rsa2048Key_CanSign(&keys->rsa.cxi) == false) { printf("[NCCH WARNING] Failed to sign CXI header\n"); memset(GetNcchHdrSig(hdr), 0xFF, 0x100); + return 0; } - return 0; + + return RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cxi.pub, keys->rsa.cxi.pvt, RSA_2048_SHA256, CTR_RSA_SIGN); } int CheckCXISignature(ncch_hdr *hdr, u8 *pubk) @@ -1089,7 +1093,7 @@ bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr) return false; if(keys->aes.ncchKeyX[ncch_keyx_index]) - ctr_aes_keygen(keys->aes.ncchKeyX[ncch_keyx_index], hdr->signature, keys->aes.ncchKey0); + ctr_aes_keygen(keys->aes.ncchKeyX[ncch_keyx_index], hdr->signature, keys->aes.ncchKey1); else return false; diff --git a/makerom/ncsd.c b/makerom/ncsd.c index 51e4b9c..b57d8f9 100644 --- a/makerom/ncsd.c +++ b/makerom/ncsd.c @@ -579,14 +579,14 @@ int GenCciHdr(cci_settings *set) // Sign Header - if (RsaSignVerify(&hdr->magic, sizeof(cci_hdr) - RSA_2048_KEY_SIZE, hdr->signature, set->keys->rsa.cciCfa.pub, set->keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0) + if (Rsa2048Key_CanSign(&set->keys->rsa.cciCfa) == false) { printf("[NCSD WARNING] Failed to sign header\n"); memset(hdr->signature, 0xFF, 0x100); + return 0; } - - - return 0; + + return RsaSignVerify(&hdr->magic, sizeof(cci_hdr) - RSA_2048_KEY_SIZE, hdr->signature, set->keys->rsa.cciCfa.pub, set->keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN); } char* GetMediaSizeStr(u64 mediaSize) diff --git a/makerom/tik.c b/makerom/tik.c index fb219ae..df95599 100644 --- a/makerom/tik.c +++ b/makerom/tik.c @@ -81,13 +81,14 @@ int SignTicketHeader(buffer_struct *tik, keys_struct *keys) clrmem(sig,sizeof(tik_signature)); u32_to_u8(sig->sigType,RSA_2048_SHA256,BE); - if (RsaSignVerify(data, len, sig->data, keys->rsa.xs.pub, keys->rsa.xs.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0) + if (Rsa2048Key_CanSign(&keys->rsa.xs) == false) { printf("[TIK WARNING] Failed to sign header\n"); memset(sig->data, 0xFF, 0x100); + return 0; } - return 0; + return RsaSignVerify(data, len, sig->data, keys->rsa.xs.pub, keys->rsa.xs.pvt, RSA_2048_SHA256, CTR_RSA_SIGN); } int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode) diff --git a/makerom/tmd.c b/makerom/tmd.c index c7c5449..0b5fa83 100644 --- a/makerom/tmd.c +++ b/makerom/tmd.c @@ -71,13 +71,14 @@ int SignTMDHeader(tmd_hdr *hdr, tmd_signature *sig, keys_struct *keys) clrmem(sig,sizeof(tmd_signature)); u32_to_u8(sig->sigType,RSA_2048_SHA256,BE); - if (RsaSignVerify((u8*)hdr, sizeof(tmd_hdr), sig->data, keys->rsa.cp.pub, keys->rsa.cp.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0) + if (Rsa2048Key_CanSign(&keys->rsa.cp) == false) { printf("[TMD WARNING] Failed to sign header\n"); memset(sig->data, 0xFF, 0x100); + return 0; } - return 0; + return RsaSignVerify((u8*)hdr, sizeof(tmd_hdr), sig->data, keys->rsa.cp.pub, keys->rsa.cp.pvt, RSA_2048_SHA256, CTR_RSA_SIGN); } int SetupTMDInfoRecord(tmd_content_info_record *info_record, u8 *content_record, u16 ContentCount)