p7zip-rar/CPP/7zip/Crypto/Rar5Aes.cpp
2017-10-11 12:40:22 +02:00

258 lines
5.4 KiB
C++

// Crypto/Rar5Aes.cpp
#include "StdAfx.h"
#include "../../../C/CpuArch.h"
#ifndef _7ZIP_ST
#include "../../Windows/Synchronization.h"
#endif
#include "Rar5Aes.h"
namespace NCrypto {
namespace NRar5 {
static const unsigned kNumIterationsLog_Max = 24;
static const unsigned kPswCheckCsumSize = 4;
static const unsigned kCheckSize = kPswCheckSize + kPswCheckCsumSize;
CKey::CKey():
_needCalc(true),
_numIterationsLog(0)
{
for (unsigned i = 0; i < sizeof(_salt); i++)
_salt[i] = 0;
}
CDecoder::CDecoder(): CAesCbcDecoder(kAesKeySize) {}
static unsigned ReadVarInt(const Byte *p, unsigned maxSize, UInt64 *val)
{
unsigned i;
*val = 0;
for (i = 0; i < maxSize;)
{
Byte b = p[i];
if (i < 10)
*val |= (UInt64)(b & 0x7F) << (7 * i++);
if ((b & 0x80) == 0)
return i;
}
return 0;
}
HRESULT CDecoder::SetDecoderProps(const Byte *p, unsigned size, bool includeIV, bool isService)
{
UInt64 Version;
unsigned num = ReadVarInt(p, size, &Version);
if (num == 0)
return E_NOTIMPL;
p += num;
size -= num;
if (Version != 0)
return E_NOTIMPL;
num = ReadVarInt(p, size, &Flags);
if (num == 0)
return E_NOTIMPL;
p += num;
size -= num;
bool isCheck = IsThereCheck();
if (size != 1 + kSaltSize + (includeIV ? AES_BLOCK_SIZE : 0) + (unsigned)(isCheck ? kCheckSize : 0))
return E_NOTIMPL;
if (_numIterationsLog != p[0])
{
_numIterationsLog = p[0];
_needCalc = true;
}
p++;
if (memcmp(_salt, p, kSaltSize) != 0)
{
memcpy(_salt, p, kSaltSize);
_needCalc = true;
}
p += kSaltSize;
if (includeIV)
{
memcpy(_iv, p, AES_BLOCK_SIZE);
p += AES_BLOCK_SIZE;
}
_canCheck = true;
if (isCheck)
{
memcpy(_check, p, kPswCheckSize);
CSha256 sha;
Byte digest[SHA256_DIGEST_SIZE];
Sha256_Init(&sha);
Sha256_Update(&sha, _check, kPswCheckSize);
Sha256_Final(&sha, digest);
_canCheck = (memcmp(digest, p + kPswCheckSize, kPswCheckCsumSize) == 0);
if (_canCheck && isService)
{
// There was bug in RAR 5.21- : PswCheck field in service records ("QO") contained zeros.
// so we disable password checking for such bad records.
_canCheck = false;
for (unsigned i = 0; i < kPswCheckSize; i++)
if (p[i] != 0)
{
_canCheck = true;
break;
}
}
}
return (_numIterationsLog <= kNumIterationsLog_Max ? S_OK : E_NOTIMPL);
}
void CDecoder::SetPassword(const Byte *data, size_t size)
{
if (size != _password.Size() || memcmp(data, _password, size) != 0)
{
_needCalc = true;
_password.CopyFrom(data, size);
}
}
STDMETHODIMP CDecoder::Init()
{
CalcKey_and_CheckPassword();
RINOK(SetKey(_key, kAesKeySize));
RINOK(SetInitVector(_iv, AES_BLOCK_SIZE));
return CAesCbcCoder::Init();
}
UInt32 CDecoder::Hmac_Convert_Crc32(UInt32 crc) const
{
NSha256::CHmac ctx;
ctx.SetKey(_hashKey, NSha256::kDigestSize);
Byte v[4];
SetUi32(v, crc);
ctx.Update(v, 4);
Byte h[NSha256::kDigestSize];
ctx.Final(h);
crc = 0;
for (unsigned i = 0; i < NSha256::kDigestSize; i++)
crc ^= (UInt32)h[i] << ((i & 3) * 8);
return crc;
};
void CDecoder::Hmac_Convert_32Bytes(Byte *data) const
{
NSha256::CHmac ctx;
ctx.SetKey(_hashKey, NSha256::kDigestSize);
ctx.Update(data, NSha256::kDigestSize);
ctx.Final(data);
};
#ifndef _7ZIP_ST
static CKey g_Key;
static NWindows::NSynchronization::CCriticalSection g_GlobalKeyCacheCriticalSection;
#define MT_LOCK NWindows::NSynchronization::CCriticalSectionLock lock(g_GlobalKeyCacheCriticalSection);
#else
#define MT_LOCK
#endif
bool CDecoder::CalcKey_and_CheckPassword()
{
if (_needCalc)
{
{
MT_LOCK
if (!g_Key._needCalc && IsKeyEqualTo(g_Key))
{
CopyCalcedKeysFrom(g_Key);
_needCalc = false;
}
}
if (_needCalc)
{
Byte pswCheck[SHA256_DIGEST_SIZE];
{
// Pbkdf HMAC-SHA-256
NSha256::CHmac baseCtx;
baseCtx.SetKey(_password, _password.Size());
NSha256::CHmac ctx = baseCtx;
ctx.Update(_salt, sizeof(_salt));
Byte u[NSha256::kDigestSize];
Byte key[NSha256::kDigestSize];
u[0] = 0;
u[1] = 0;
u[2] = 0;
u[3] = 1;
ctx.Update(u, 4);
ctx.Final(u);
memcpy(key, u, NSha256::kDigestSize);
UInt32 numIterations = ((UInt32)1 << _numIterationsLog) - 1;
for (unsigned i = 0; i < 3; i++)
{
UInt32 j = numIterations;
for (; j != 0; j--)
{
ctx = baseCtx;
ctx.Update(u, NSha256::kDigestSize);
ctx.Final(u);
for (unsigned s = 0; s < NSha256::kDigestSize; s++)
key[s] ^= u[s];
}
// RAR uses additional iterations for additional keys
memcpy((i == 0 ? _key : (i == 1 ? _hashKey : pswCheck)), key, NSha256::kDigestSize);
numIterations = 16;
}
}
{
unsigned i;
for (i = 0; i < kPswCheckSize; i++)
_check_Calced[i] = pswCheck[i];
for (i = kPswCheckSize; i < SHA256_DIGEST_SIZE; i++)
_check_Calced[i & (kPswCheckSize - 1)] ^= pswCheck[i];
}
_needCalc = false;
{
MT_LOCK
g_Key = *this;
}
}
}
if (IsThereCheck() && _canCheck)
return (memcmp(_check_Calced, _check, kPswCheckSize) == 0);
return true;
}
}}