15.06

CPP/7zip/Crypto/HmacSha256.cpp

@@ -0,0 +1,62 @@
+// HmacSha256.cpp
+
+#include "StdAfx.h"
+
+#include "../../../C/CpuArch.h"
+
+#include "HmacSha256.h"
+
+namespace NCrypto {
+namespace NSha256 {
+
+static const unsigned kBlockSize = 64;
+
+void CHmac::SetKey(const Byte *key, size_t keySize)
+{
+  Byte temp[kBlockSize];
+  size_t i;
+  
+  for (i = 0; i < kBlockSize; i++)
+    temp[i] = 0;
+  
+  if (keySize > kBlockSize)
+  {
+    Sha256_Init(&_sha);
+    Sha256_Update(&_sha, key, keySize);
+    Sha256_Final(&_sha, temp);
+  }
+  else
+    for (i = 0; i < keySize; i++)
+      temp[i] = key[i];
+  
+  for (i = 0; i < kBlockSize; i++)
+    temp[i] ^= 0x36;
+  
+  Sha256_Init(&_sha);
+  Sha256_Update(&_sha, temp, kBlockSize);
+  
+  for (i = 0; i < kBlockSize; i++)
+    temp[i] ^= 0x36 ^ 0x5C;
+
+  Sha256_Init(&_sha2);
+  Sha256_Update(&_sha2, temp, kBlockSize);
+}
+
+void CHmac::Final(Byte *mac)
+{
+  Sha256_Final(&_sha, mac);
+  Sha256_Update(&_sha2, mac, SHA256_DIGEST_SIZE);
+  Sha256_Final(&_sha2, mac);
+}
+
+/*
+void CHmac::Final(Byte *mac, size_t macSize)
+{
+  Byte digest[SHA256_DIGEST_SIZE];
+  Final(digest);
+  for (size_t i = 0; i < macSize; i++)
+    mac[i] = digest[i];
+}
+*/
+
+}}

CPP/7zip/Crypto/HmacSha256.h

@@ -0,0 +1,27 @@
+// HmacSha256.h
+// Implements HMAC-SHA-256 (RFC2104, FIPS-198)
+
+#ifndef __CRYPTO_HMAC_SHA256_H
+#define __CRYPTO_HMAC_SHA256_H
+
+#include "../../../C/Sha256.h"
+
+namespace NCrypto {
+namespace NSha256 {
+
+const unsigned kDigestSize = SHA256_DIGEST_SIZE;
+
+class CHmac
+{
+  CSha256 _sha;
+  CSha256 _sha2;
+public:
+  void SetKey(const Byte *key, size_t keySize);
+  void Update(const Byte *data, size_t dataSize) { Sha256_Update(&_sha, data, dataSize); }
+  void Final(Byte *mac);
+  // void Final(Byte *mac, size_t macSize);
+};
+
+}}
+
+#endif

CPP/7zip/Crypto/Rar20Crypto.cpp

@@ -9,7 +9,7 @@
 #include "Rar20Crypto.h"
 
 namespace NCrypto {
-namespace NRar20 {
+namespace NRar2 {
 
 static const unsigned kNumRounds = 32;
 
@@ -39,44 +39,48 @@ void CData::UpdateKeys(const Byte *data)
       Keys[j] ^= g_CrcTable[data[i + j]];
 }
 
-static void Swap(Byte *b1, Byte *b2)
+static inline void Swap(Byte &b1, Byte &b2)
 {
-  Byte b = *b1;
-  *b1 = *b2;
-  *b2 = b;
+  Byte b = b1;
+  b1 = b2;
+  b2 = b;
 }
 
-void CData::SetPassword(const Byte *data, UInt32 size)
+void CData::SetPassword(const Byte *data, unsigned size)
 {
   Keys[0] = 0xD3A3B879L;
   Keys[1] = 0x3F6D12F7L;
   Keys[2] = 0x7515A235L;
   Keys[3] = 0xA4E7F123L;
   
-  Byte psw[256];
-  if (size >= sizeof(psw))
-    size = sizeof(psw) - 1;
+  Byte psw[128];
   memset(psw, 0, sizeof(psw));
   if (size != 0)
+  {
+    if (size >= sizeof(psw))
+      size = sizeof(psw) - 1;
     memcpy(psw, data, size);
+  }
+
   memcpy(SubstTable, g_InitSubstTable, sizeof(SubstTable));
 
-  for (UInt32 j = 0; j < 256; j++)
-    for (UInt32 i = 0; i < size; i += 2)
+  for (unsigned j = 0; j < 256; j++)
+    for (unsigned i = 0; i < size; i += 2)
     {
-      UInt32 n2 = (Byte)g_CrcTable[(psw[i + 1] + j) & 0xFF];
-      UInt32 n1 = (Byte)g_CrcTable[(psw[i] - j) & 0xFF];
-      for (UInt32 k = 1; (n1 & 0xFF) != n2; n1++, k++)
-        Swap(&SubstTable[n1 & 0xFF], &SubstTable[(n1 + i + k) & 0xFF]);
+      unsigned n1 = (Byte)g_CrcTable[(psw[i] - j) & 0xFF];
+      unsigned n2 = (Byte)g_CrcTable[(psw[i + 1] + j) & 0xFF];
+      for (unsigned k = 1; (n1 & 0xFF) != n2; n1++, k++)
+        Swap(SubstTable[n1 & 0xFF], SubstTable[(n1 + i + k) & 0xFF]);
     }
-  for (UInt32 i = 0; i < size; i += 16)
-    EncryptBlock(&psw[i]);
+  
+  for (unsigned i = 0; i < size; i += 16)
+    EncryptBlock(psw + i);
 }
 
 void CData::CryptBlock(Byte *buf, bool encrypt)
 {
   Byte inBuf[16];
-  UInt32 A, B, C, D, T, TA, TB;
+  UInt32 A, B, C, D;
 
   A = GetUi32(buf +  0) ^ Keys[0];
   B = GetUi32(buf +  4) ^ Keys[1];
@@ -89,14 +93,10 @@ void CData::CryptBlock(Byte *buf, bool encrypt)
   for (unsigned i = 0; i < kNumRounds; i++)
   {
     UInt32 key = Keys[(encrypt ? i : (kNumRounds - 1 - i)) & 3];
-    T = ((C + rotlFixed(D, 11)) ^ key);
-    TA = A ^ SubstLong(T);
-    T = ((D ^ rotlFixed(C, 17)) + key);
-    TB = B ^ SubstLong(T);
-    A = C;
-    B = D;
-    C = TA;
-    D = TB;
+    UInt32 TA = A ^ SubstLong((C + rotlFixed(D, 11)) ^ key);
+    UInt32 TB = B ^ SubstLong((D ^ rotlFixed(C, 17)) + key);
+    A = C; C = TA;
+    B = D; D = TB;
   }
 
   SetUi32(buf +  0, C ^ Keys[0]);
@@ -107,12 +107,6 @@ void CData::CryptBlock(Byte *buf, bool encrypt)
   UpdateKeys(encrypt ? buf : inBuf);
 }
 
-STDMETHODIMP CDecoder::CryptoSetPassword(const Byte *data, UInt32 size)
-{
-  _cipher.SetPassword(data, size);
-  return S_OK;
-}
-
 STDMETHODIMP CDecoder::Init()
 {
   return S_OK;
@@ -126,10 +120,10 @@ STDMETHODIMP_(UInt32) CDecoder::Filter(Byte *data, UInt32 size)
     return 0;
   if (size < kBlockSize)
     return kBlockSize;
-  UInt32 i;
   size -= kBlockSize;
+  UInt32 i;
   for (i = 0; i <= size; i += kBlockSize)
-    _cipher.DecryptBlock(data + i);
+    DecryptBlock(data + i);
   return i;
 }
 

CPP/7zip/Crypto/Rar20Crypto.h

@@ -6,13 +6,12 @@
 #include "../../Common/MyCom.h"
 
 #include "../ICoder.h"
-#include "../IPassword.h"
 
 namespace NCrypto {
-namespace NRar20 {
+namespace NRar2 {
 
 /* ICompressFilter::Init() does nothing for this filter.
-   Call CryptoSetPassword() to initialize filter. */
+   Call SetPassword() to initialize filter. */
 
 class CData
 {
@@ -31,22 +30,17 @@ class CData
 public:
   void EncryptBlock(Byte *buf) { CryptBlock(buf, true); }
   void DecryptBlock(Byte *buf) { CryptBlock(buf, false); }
-  void SetPassword(const Byte *password, UInt32 passwordLen);
+  void SetPassword(const Byte *password, unsigned passwordLen);
 };
 
 class CDecoder:
   public ICompressFilter,
-  public ICryptoSetPassword,
   public CMyUnknownImp,
   public CData
 {
-  CData _cipher;
 public:
-  MY_UNKNOWN_IMP1(ICryptoSetPassword)
-
-  STDMETHOD(Init)();
-  STDMETHOD_(UInt32, Filter)(Byte *data, UInt32 size);
-  STDMETHOD(CryptoSetPassword)(const Byte *data, UInt32 size);
+  MY_UNKNOWN_IMP
+  INTERFACE_ICompressFilter(;)
 };
 
 }}

CPP/7zip/Crypto/Rar5Aes.cpp

@@ -0,0 +1,257 @@
+// Crypto/Rar5Aes.cpp
+
+#include "StdAfx.h"
+
+#include "../../../C/CpuArch.h"
+
+#ifndef _7ZIP_ST
+#include "../../Windows/Synchronization.h"
+#endif
+
+#include "Rar5Aes.h"
+
+namespace NCrypto {
+namespace NRar5 {
+
+static const unsigned kNumIterationsLog_Max = 24;
+
+static const unsigned kPswCheckCsumSize = 4;
+static const unsigned kCheckSize = kPswCheckSize + kPswCheckCsumSize;
+
+CKey::CKey():
+    _needCalc(true),
+    _numIterationsLog(0)
+{
+  for (unsigned i = 0; i < sizeof(_salt); i++)
+    _salt[i] = 0;
+}
+
+CDecoder::CDecoder(): CAesCbcDecoder(kAesKeySize) {}
+
+static unsigned ReadVarInt(const Byte *p, unsigned maxSize, UInt64 *val)
+{
+  unsigned i;
+  *val = 0;
+
+  for (i = 0; i < maxSize;)
+  {
+    Byte b = p[i];
+    if (i < 10)
+      *val |= (UInt64)(b & 0x7F) << (7 * i++);
+    if ((b & 0x80) == 0)
+      return i;
+  }
+  return 0;
+}
+
+HRESULT CDecoder::SetDecoderProps(const Byte *p, unsigned size, bool includeIV, bool isService)
+{
+  UInt64 Version;
+  
+  unsigned num = ReadVarInt(p, size, &Version);
+  if (num == 0)
+    return E_NOTIMPL;
+  p += num;
+  size -= num;
+
+  if (Version != 0)
+    return E_NOTIMPL;
+  
+  num = ReadVarInt(p, size, &Flags);
+  if (num == 0)
+    return E_NOTIMPL;
+  p += num;
+  size -= num;
+
+  bool isCheck = IsThereCheck();
+  if (size != 1 + kSaltSize + (includeIV ? AES_BLOCK_SIZE : 0) + (unsigned)(isCheck ? kCheckSize : 0))
+    return E_NOTIMPL;
+
+  if (_numIterationsLog != p[0])
+  {
+    _numIterationsLog = p[0];
+    _needCalc = true;
+  }
+
+  p++;
+    
+  if (memcmp(_salt, p, kSaltSize) != 0)
+  {
+    memcpy(_salt, p, kSaltSize);
+    _needCalc = true;
+  }
+  
+  p += kSaltSize;
+  
+  if (includeIV)
+  {
+    memcpy(_iv, p, AES_BLOCK_SIZE);
+    p += AES_BLOCK_SIZE;
+  }
+  
+  _canCheck = true;
+  
+  if (isCheck)
+  {
+    memcpy(_check, p, kPswCheckSize);
+    CSha256 sha;
+    Byte digest[SHA256_DIGEST_SIZE];
+    Sha256_Init(&sha);
+    Sha256_Update(&sha, _check, kPswCheckSize);
+    Sha256_Final(&sha, digest);
+    _canCheck = (memcmp(digest, p + kPswCheckSize, kPswCheckCsumSize) == 0);
+    if (_canCheck && isService)
+    {
+      // There was bug in RAR 5.21- : PswCheck field in service records ("QO") contained zeros.
+      // so we disable password checking for such bad records.
+      _canCheck = false;
+      for (unsigned i = 0; i < kPswCheckSize; i++)
+        if (p[i] != 0)
+        {
+          _canCheck = true;
+          break;
+        }
+    }
+  }
+
+  return (_numIterationsLog <= kNumIterationsLog_Max ? S_OK : E_NOTIMPL);
+}
+
+
+void CDecoder::SetPassword(const Byte *data, size_t size)
+{
+  if (size != _password.Size() || memcmp(data, _password, size) != 0)
+  {
+    _needCalc = true;
+    _password.CopyFrom(data, size);
+  }
+}
+
+
+STDMETHODIMP CDecoder::Init()
+{
+  CalcKey_and_CheckPassword();
+  RINOK(SetKey(_key, kAesKeySize));
+  RINOK(SetInitVector(_iv, AES_BLOCK_SIZE));
+  return CAesCbcCoder::Init();
+}
+
+
+UInt32 CDecoder::Hmac_Convert_Crc32(UInt32 crc) const
+{
+  NSha256::CHmac ctx;
+  ctx.SetKey(_hashKey, NSha256::kDigestSize);
+  Byte v[4];
+  SetUi32(v, crc);
+  ctx.Update(v, 4);
+  Byte h[NSha256::kDigestSize];
+  ctx.Final(h);
+  crc = 0;
+  for (unsigned i = 0; i < NSha256::kDigestSize; i++)
+    crc ^= (UInt32)h[i] << ((i & 3) * 8);
+  return crc;
+};
+
+
+void CDecoder::Hmac_Convert_32Bytes(Byte *data) const
+{
+  NSha256::CHmac ctx;
+  ctx.SetKey(_hashKey, NSha256::kDigestSize);
+  ctx.Update(data, NSha256::kDigestSize);
+  ctx.Final(data);
+};
+
+
+#ifndef _7ZIP_ST
+  static CKey g_Key;
+  static NWindows::NSynchronization::CCriticalSection g_GlobalKeyCacheCriticalSection;
+  #define MT_LOCK NWindows::NSynchronization::CCriticalSectionLock lock(g_GlobalKeyCacheCriticalSection);
+#else
+  #define MT_LOCK
+#endif
+
+bool CDecoder::CalcKey_and_CheckPassword()
+{
+  if (_needCalc)
+  {
+    {
+      MT_LOCK
+      if (!g_Key._needCalc && IsKeyEqualTo(g_Key))
+      {
+        CopyCalcedKeysFrom(g_Key);
+        _needCalc = false;
+      }
+    }
+    
+    if (_needCalc)
+    {
+      Byte pswCheck[SHA256_DIGEST_SIZE];
+
+      {
+        // Pbkdf HMAC-SHA-256
+
+        NSha256::CHmac baseCtx;
+        baseCtx.SetKey(_password, _password.Size());
+        
+        NSha256::CHmac ctx = baseCtx;
+        ctx.Update(_salt, sizeof(_salt));
+        
+        Byte u[NSha256::kDigestSize];
+        Byte key[NSha256::kDigestSize];
+        
+        u[0] = 0;
+        u[1] = 0;
+        u[2] = 0;
+        u[3] = 1;
+        
+        ctx.Update(u, 4);
+        ctx.Final(u);
+        
+        memcpy(key, u, NSha256::kDigestSize);
+        
+        UInt32 numIterations = ((UInt32)1 << _numIterationsLog) - 1;
+        
+        for (unsigned i = 0; i < 3; i++)
+        {
+          UInt32 j = numIterations;
+          
+          for (; j != 0; j--)
+          {
+            ctx = baseCtx;
+            ctx.Update(u, NSha256::kDigestSize);
+            ctx.Final(u);
+            for (unsigned s = 0; s < NSha256::kDigestSize; s++)
+              key[s] ^= u[s];
+          }
+          
+          // RAR uses additional iterations for additional keys
+          memcpy((i == 0 ? _key : (i == 1 ? _hashKey : pswCheck)), key, NSha256::kDigestSize);
+          numIterations = 16;
+        }
+      }
+
+      {
+        unsigned i;
+       
+        for (i = 0; i < kPswCheckSize; i++)
+          _check_Calced[i] = pswCheck[i];
+      
+        for (i = kPswCheckSize; i < SHA256_DIGEST_SIZE; i++)
+          _check_Calced[i & (kPswCheckSize - 1)] ^= pswCheck[i];
+      }
+
+      _needCalc = false;
+      
+      {
+        MT_LOCK
+        g_Key = *this;
+      }
+    }
+  }
+  
+  if (IsThereCheck() && _canCheck)
+    return (memcmp(_check_Calced, _check, kPswCheckSize) == 0);
+  return true;
+}
+
+}}

CPP/7zip/Crypto/Rar5Aes.h

@@ -0,0 +1,84 @@
+// Crypto/Rar5Aes.h
+
+#ifndef __CRYPTO_RAR5_AES_H
+#define __CRYPTO_RAR5_AES_H
+
+#include "../../../C/Aes.h"
+
+#include "../../Common/MyBuffer.h"
+
+#include "HmacSha256.h"
+#include "MyAes.h"
+
+namespace NCrypto {
+namespace NRar5 {
+
+const unsigned kSaltSize = 16;
+const unsigned kPswCheckSize = 8;
+const unsigned kAesKeySize = 32;
+
+namespace NCryptoFlags
+{
+  const unsigned kPswCheck = 1 << 0;
+  const unsigned kUseMAC   = 1 << 1;
+}
+
+struct CKey
+{
+  bool _needCalc;
+
+  unsigned _numIterationsLog;
+  Byte _salt[kSaltSize];
+  CByteBuffer _password;
+  
+  Byte _key[kAesKeySize];
+  Byte _check_Calced[kPswCheckSize];
+  Byte _hashKey[SHA256_DIGEST_SIZE];
+
+  void CopyCalcedKeysFrom(const CKey &k)
+  {
+    memcpy(_key, k._key, sizeof(_key));
+    memcpy(_check_Calced, k._check_Calced, sizeof(_check_Calced));
+    memcpy(_hashKey, k._hashKey, sizeof(_hashKey));
+  }
+
+  bool IsKeyEqualTo(const CKey &key)
+  {
+    return (_numIterationsLog == key._numIterationsLog
+        && memcmp(_salt, key._salt, sizeof(_salt)) == 0
+        && _password == key._password);
+  }
+  
+  CKey();
+};
+
+
+class CDecoder:
+  public CAesCbcDecoder,
+  public CKey
+{
+  Byte _check[kPswCheckSize];
+  bool _canCheck;
+  UInt64 Flags;
+
+  bool IsThereCheck() const { return ((Flags & NCryptoFlags::kPswCheck) != 0); }
+public:
+  Byte _iv[AES_BLOCK_SIZE];
+  
+  CDecoder();
+
+  STDMETHOD(Init)();
+
+  void SetPassword(const Byte *data, size_t size);
+  HRESULT SetDecoderProps(const Byte *data, unsigned size, bool includeIV, bool isService);
+
+  bool CalcKey_and_CheckPassword();
+
+  bool UseMAC() const { return (Flags & NCryptoFlags::kUseMAC) != 0; }
+  UInt32 Hmac_Convert_Crc32(UInt32 crc) const;
+  void Hmac_Convert_32Bytes(Byte *data) const;
+};
+
+}}
+
+#endif

CPP/7zip/Crypto/RarAes.cpp

@@ -1,5 +1,4 @@
 // Crypto/RarAes.cpp
-// Note: you must include MyAes.cpp to project to initialize AES tables
 
 #include "StdAfx.h"
 
@@ -7,10 +6,10 @@
 #include "Sha1Cls.h"
 
 namespace NCrypto {
-namespace NRar29 {
+namespace NRar3 {
 
 CDecoder::CDecoder():
-    CAesCbcDecoder(kRarAesKeySize),
+    CAesCbcDecoder(kAesKeySize),
     _thereIsSalt(false),
     _needCalc(true),
     _rar350Mode(false)
@@ -19,7 +18,7 @@ CDecoder::CDecoder():
     _salt[i] = 0;
 }
 
-STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
+HRESULT CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
 {
   bool prev = _thereIsSalt;
   _thereIsSalt = false;
@@ -53,12 +52,12 @@ STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
   return S_OK;
 }
 
-static const unsigned kPasswordLen_MAX = 127 * 2;
+static const unsigned kPasswordLen_Bytes_MAX = 127 * 2;
 
-STDMETHODIMP CDecoder::CryptoSetPassword(const Byte *data, UInt32 size)
+void CDecoder::SetPassword(const Byte *data, unsigned size)
 {
-  if (size > kPasswordLen_MAX)
-    size = kPasswordLen_MAX;
+  if (size > kPasswordLen_Bytes_MAX)
+    size = kPasswordLen_Bytes_MAX;
   bool same = false;
   if (size == _password.Size())
   {
@@ -73,13 +72,12 @@ STDMETHODIMP CDecoder::CryptoSetPassword(const Byte *data, UInt32 size)
   if (!_needCalc && !same)
     _needCalc = true;
   _password.CopyFrom(data, (size_t)size);
-  return S_OK;
 }
 
 STDMETHODIMP CDecoder::Init()
 {
   CalcKey();
-  RINOK(SetKey(_key, kRarAesKeySize));
+  RINOK(SetKey(_key, kAesKeySize));
   RINOK(SetInitVector(_iv, AES_BLOCK_SIZE));
   return CAesCbcCoder::Init();
 }
@@ -91,7 +89,7 @@ void CDecoder::CalcKey()
 
   const unsigned kSaltSize = 8;
   
-  Byte buf[kPasswordLen_MAX + kSaltSize];
+  Byte buf[kPasswordLen_Bytes_MAX + kSaltSize];
   
   if (_password.Size() != 0)
     memcpy(buf, _password, _password.Size());
@@ -109,7 +107,7 @@ void CDecoder::CalcKey()
   
   Byte digest[NSha1::kDigestSize];
   // rar reverts hash for sha.
-  const UInt32 kNumRounds = (1 << 18);
+  const UInt32 kNumRounds = ((UInt32)1 << 18);
   UInt32 i;
   for (i = 0; i < kNumRounds; i++)
   {

CPP/7zip/Crypto/RarAes.h

@@ -12,14 +12,14 @@
 #include "MyAes.h"
 
 namespace NCrypto {
-namespace NRar29 {
+namespace NRar3 {
 
-const UInt32 kRarAesKeySize = 16;
+const unsigned kAesKeySize = 16;
 
 class CDecoder:
-  public CAesCbcDecoder,
+  public CAesCbcDecoder
   // public ICompressSetDecoderProperties2,
-  public ICryptoSetPassword
+  // public ICryptoSetPassword
 {
   Byte _salt[8];
   bool _thereIsSalt;
@@ -28,17 +28,20 @@ class CDecoder:
   
   CByteBuffer _password;
   
-  Byte _key[kRarAesKeySize];
+  Byte _key[kAesKeySize];
   Byte _iv[AES_BLOCK_SIZE];
 
   void CalcKey();
 public:
+  /*
   MY_UNKNOWN_IMP1(
-    ICryptoSetPassword)
+    ICryptoSetPassword
     // ICompressSetDecoderProperties2
+  */
   STDMETHOD(Init)();
-  STDMETHOD(CryptoSetPassword)(const Byte *aData, UInt32 aSize);
-  STDMETHOD(SetDecoderProperties2)(const Byte *data, UInt32 size);
+  
+  void SetPassword(const Byte *data, unsigned size);
+  HRESULT SetDecoderProperties2(const Byte *data, UInt32 size);
 
   CDecoder();
   void SetRar350Mode(bool rar350Mode) { _rar350Mode = rar350Mode; }