From 6dd369ab88efa9f183104cf26304afc940b462cf Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Thu, 16 Aug 2018 16:58:49 -0400
Subject: ctr_encryption_layer: Fix bug when transcoding small data Fixes a bug
 where data lengths of less than size 0x10 will fail or have misleading return
 values.

---
 src/core/crypto/ctr_encryption_layer.cpp | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/ctr_encryption_layer.cpp b/src/core/crypto/ctr_encryption_layer.cpp
index 106db02b3..3ea60dbd0 100644
--- a/src/core/crypto/ctr_encryption_layer.cpp
+++ b/src/core/crypto/ctr_encryption_layer.cpp
@@ -20,10 +20,8 @@ size_t CTREncryptionLayer::Read(u8* data, size_t length, size_t offset) const {
     if (sector_offset == 0) {
         UpdateIV(base_offset + offset);
         std::vector<u8> raw = base->ReadBytes(length, offset);
-        if (raw.size() != length)
-            return Read(data, raw.size(), offset);
-        cipher.Transcode(raw.data(), length, data, Op::Decrypt);
-        return length;
+        cipher.Transcode(raw.data(), raw.size(), data, Op::Decrypt);
+        return raw.size();
     }
 
     // offset does not fall on block boundary (0x10)
@@ -34,7 +32,7 @@ size_t CTREncryptionLayer::Read(u8* data, size_t length, size_t offset) const {
 
     if (length + sector_offset < 0x10) {
         std::memcpy(data, block.data() + sector_offset, std::min<u64>(length, read));
-        return read;
+        return std::min<u64>(length, read);
     }
     std::memcpy(data, block.data() + sector_offset, read);
     return read + Read(data + read, length - read, offset + read);
-- 
cgit v1.2.3


From 10e5356e9ac5756d8a48498cd1270862d3013476 Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Thu, 16 Aug 2018 17:00:35 -0400
Subject: aes_util: Make XTSTranscode stricter about sizes XTS with Nintendo
 Tweak will fail mysteriously if the sector size is not 0x4000. Upgrade the
 critical log to an assert to prevent undefined behavior.

---
 src/core/crypto/aes_util.cpp | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/aes_util.cpp b/src/core/crypto/aes_util.cpp
index a9876c83e..72e4bed67 100644
--- a/src/core/crypto/aes_util.cpp
+++ b/src/core/crypto/aes_util.cpp
@@ -99,10 +99,7 @@ void AESCipher<Key, KeySize>::Transcode(const u8* src, size_t size, u8* dest, Op
 template <typename Key, size_t KeySize>
 void AESCipher<Key, KeySize>::XTSTranscode(const u8* src, size_t size, u8* dest, size_t sector_id,
                                            size_t sector_size, Op op) {
-    if (size % sector_size > 0) {
-        LOG_CRITICAL(Crypto, "Data size must be a multiple of sector size.");
-        return;
-    }
+    ASSERT_MSG(size % sector_size == 0, "XTS decryption size must be a multiple of sector size.");
 
     for (size_t i = 0; i < size; i += sector_size) {
         SetIV(CalculateNintendoTweak(sector_id++));
@@ -112,4 +109,4 @@ void AESCipher<Key, KeySize>::XTSTranscode(const u8* src, size_t size, u8* dest,
 
 template class AESCipher<Key128>;
 template class AESCipher<Key256>;
-} // namespace Core::Crypto
\ No newline at end of file
+} // namespace Core::Crypto
-- 
cgit v1.2.3


From c4845df3d4b9fc3fc19dd936af87090ffb3fbdf2 Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Thu, 16 Aug 2018 17:01:32 -0400
Subject: xts_encryption_layer: Implement XTSEncryptionLayer

---
 src/core/crypto/xts_encryption_layer.cpp | 54 ++++++++++++++++++++++++++++++++
 src/core/crypto/xts_encryption_layer.h   | 26 +++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 src/core/crypto/xts_encryption_layer.cpp
 create mode 100644 src/core/crypto/xts_encryption_layer.h

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/xts_encryption_layer.cpp b/src/core/crypto/xts_encryption_layer.cpp
new file mode 100644
index 000000000..431099580
--- /dev/null
+++ b/src/core/crypto/xts_encryption_layer.cpp
@@ -0,0 +1,54 @@
+// Copyright 2018 yuzu emulator team
+// Licensed under GPLv2 or any later version
+// Refer to the license.txt file included.
+
+#include <cstring>
+#include "common/assert.h"
+#include "core/crypto/xts_encryption_layer.h"
+
+namespace Core::Crypto {
+
+XTSEncryptionLayer::XTSEncryptionLayer(FileSys::VirtualFile base_, Key256 key_)
+    : EncryptionLayer(std::move(base_)), cipher(key_, Mode::XTS) {}
+
+size_t XTSEncryptionLayer::Read(u8* data, size_t length, size_t offset) const {
+    if (length == 0)
+        return 0;
+
+    const auto sector_offset = offset & 0x3FFF;
+    if (sector_offset == 0) {
+        if (length % 0x4000 == 0) {
+            std::vector<u8> raw = base->ReadBytes(length, offset);
+            cipher.XTSTranscode(raw.data(), raw.size(), data, offset / 0x4000, 0x4000, Op::Decrypt);
+            return raw.size();
+        }
+        if (length > 0x4000) {
+            const auto rem = length % 0x4000;
+            const auto read = length - rem;
+            return Read(data, read, offset) + Read(data + read, rem, offset + read);
+        }
+        std::vector<u8> buffer = base->ReadBytes(0x4000, offset);
+        if (buffer.size() < 0x4000)
+            buffer.resize(0x4000);
+        cipher.XTSTranscode(buffer.data(), buffer.size(), buffer.data(), offset / 0x4000, 0x4000,
+                            Op::Decrypt);
+        std::memcpy(data, buffer.data(), std::min(buffer.size(), length));
+        return std::min(buffer.size(), length);
+    }
+
+    // offset does not fall on block boundary (0x4000)
+    std::vector<u8> block = base->ReadBytes(0x4000, offset - sector_offset);
+    if (block.size() < 0x4000)
+        block.resize(0x4000);
+    cipher.XTSTranscode(block.data(), block.size(), block.data(), (offset - sector_offset) / 0x4000,
+                        0x4000, Op::Decrypt);
+    const size_t read = 0x4000 - sector_offset;
+
+    if (length + sector_offset < 0x4000) {
+        std::memcpy(data, block.data() + sector_offset, std::min<u64>(length, read));
+        return std::min<u64>(length, read);
+    }
+    std::memcpy(data, block.data() + sector_offset, read);
+    return read + Read(data + read, length - read, offset + read);
+}
+} // namespace Core::Crypto
diff --git a/src/core/crypto/xts_encryption_layer.h b/src/core/crypto/xts_encryption_layer.h
new file mode 100644
index 000000000..1e1acaf4a
--- /dev/null
+++ b/src/core/crypto/xts_encryption_layer.h
@@ -0,0 +1,26 @@
+// Copyright 2018 yuzu emulator team
+// Licensed under GPLv2 or any later version
+// Refer to the license.txt file included.
+
+#pragma once
+
+#include <vector>
+#include "core/crypto/aes_util.h"
+#include "core/crypto/encryption_layer.h"
+#include "core/crypto/key_manager.h"
+
+namespace Core::Crypto {
+
+// Sits on top of a VirtualFile and provides XTS-mode AES decription.
+class XTSEncryptionLayer : public EncryptionLayer {
+public:
+    XTSEncryptionLayer(FileSys::VirtualFile base, Key256 key);
+
+    size_t Read(u8* data, size_t length, size_t offset) const override;
+
+private:
+    // Must be mutable as operations modify cipher contexts.
+    mutable AESCipher<Key256> cipher;
+};
+
+} // namespace Core::Crypto
-- 
cgit v1.2.3


From cde665c56514c1b701c0fe94fc943c7692be7f32 Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Thu, 16 Aug 2018 17:10:01 -0400
Subject: key_manager: Switch to boost flat_map for keys Should make key gets
 marginally faster.

---
 src/core/crypto/key_manager.cpp |  5 +++--
 src/core/crypto/key_manager.h   | 41 +++++++++++------------------------------
 2 files changed, 14 insertions(+), 32 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/key_manager.cpp b/src/core/crypto/key_manager.cpp
index db8b22c85..95158e630 100644
--- a/src/core/crypto/key_manager.cpp
+++ b/src/core/crypto/key_manager.cpp
@@ -125,7 +125,8 @@ bool KeyManager::KeyFileExists(bool title) {
            FileUtil::Exists(yuzu_keys_dir + DIR_SEP + "prod.keys");
 }
 
-const std::unordered_map<std::string, KeyIndex<S128KeyType>> KeyManager::s128_file_id = {
+void KeyManager::DeriveSDSeedLazy() {
+const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> KeyManager::s128_file_id = {
     {"master_key_00", {S128KeyType::Master, 0, 0}},
     {"master_key_01", {S128KeyType::Master, 1, 0}},
     {"master_key_02", {S128KeyType::Master, 2, 0}},
@@ -169,7 +170,7 @@ const std::unordered_map<std::string, KeyIndex<S128KeyType>> KeyManager::s128_fi
     {"key_area_key_system_04", {S128KeyType::KeyArea, 4, static_cast<u64>(KeyAreaKeyType::System)}},
 };
 
-const std::unordered_map<std::string, KeyIndex<S256KeyType>> KeyManager::s256_file_id = {
+const boost::container::flat_map<std::string, KeyIndex<S256KeyType>> KeyManager::s256_file_id = {
     {"header_key", {S256KeyType::Header, 0, 0}},
     {"sd_card_save_key", {S256KeyType::SDSave, 0, 0}},
     {"sd_card_nca_key", {S256KeyType::SDNCA, 0, 0}},
diff --git a/src/core/crypto/key_manager.h b/src/core/crypto/key_manager.h
index 0c62d4421..33b1ad383 100644
--- a/src/core/crypto/key_manager.h
+++ b/src/core/crypto/key_manager.h
@@ -7,10 +7,11 @@
 #include <array>
 #include <string>
 #include <type_traits>
-#include <unordered_map>
 #include <vector>
+#include <boost/container/flat_map.hpp>
 #include <fmt/format.h>
 #include "common/common_types.h"
+#include "core/loader/loader.h"
 
 namespace Core::Crypto {
 
@@ -59,34 +60,14 @@ struct KeyIndex {
     }
 };
 
-// The following two (== and hash) are so KeyIndex can be a key in unordered_map
-
-template <typename KeyType>
-bool operator==(const KeyIndex<KeyType>& lhs, const KeyIndex<KeyType>& rhs) {
-    return std::tie(lhs.type, lhs.field1, lhs.field2) == std::tie(rhs.type, rhs.field1, rhs.field2);
-}
-
+// boost flat_map requires operator< for O(log(n)) lookups.
 template <typename KeyType>
-bool operator!=(const KeyIndex<KeyType>& lhs, const KeyIndex<KeyType>& rhs) {
-    return !operator==(lhs, rhs);
+bool operator<(const KeyIndex<KeyType>& lhs, const KeyIndex<KeyType>& rhs) {
+    return (static_cast<size_t>(lhs.type) < static_cast<size_t>(rhs.type)) ||
+           (lhs.type == rhs.type && lhs.field1 < rhs.field1) ||
+           (lhs.type == rhs.type && lhs.field1 == rhs.field1 && lhs.field2 < rhs.field2);
 }
 
-} // namespace Core::Crypto
-
-namespace std {
-template <typename KeyType>
-struct hash<Core::Crypto::KeyIndex<KeyType>> {
-    size_t operator()(const Core::Crypto::KeyIndex<KeyType>& k) const {
-        using std::hash;
-
-        return ((hash<u64>()(static_cast<u64>(k.type)) ^ (hash<u64>()(k.field1) << 1)) >> 1) ^
-               (hash<u64>()(k.field2) << 1);
-    }
-};
-} // namespace std
-
-namespace Core::Crypto {
-
 class KeyManager {
 public:
     KeyManager();
@@ -103,15 +84,15 @@ public:
     static bool KeyFileExists(bool title);
 
 private:
-    std::unordered_map<KeyIndex<S128KeyType>, Key128> s128_keys;
-    std::unordered_map<KeyIndex<S256KeyType>, Key256> s256_keys;
+    boost::container::flat_map<KeyIndex<S128KeyType>, Key128> s128_keys;
+    boost::container::flat_map<KeyIndex<S256KeyType>, Key256> s256_keys;
 
     bool dev_mode;
     void LoadFromFile(const std::string& filename, bool is_title_keys);
     void AttemptLoadKeyFile(const std::string& dir1, const std::string& dir2,
                             const std::string& filename, bool title);
 
-    static const std::unordered_map<std::string, KeyIndex<S128KeyType>> s128_file_id;
-    static const std::unordered_map<std::string, KeyIndex<S256KeyType>> s256_file_id;
+    static const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> s128_file_id;
+    static const boost::container::flat_map<std::string, KeyIndex<S256KeyType>> s256_file_id;
 };
 } // namespace Core::Crypto
-- 
cgit v1.2.3


From f26fc64cb4f36fbc9be05ed153f32d8f4dd3850c Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Thu, 16 Aug 2018 17:12:05 -0400
Subject: key_manager: Add support for KEK and SD seed derivation

---
 src/core/crypto/key_manager.cpp | 114 +++++++++++++++++++++++++++++++++++++++-
 src/core/crypto/key_manager.h   |  26 +++++++--
 2 files changed, 135 insertions(+), 5 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/key_manager.cpp b/src/core/crypto/key_manager.cpp
index 95158e630..e4b33f750 100644
--- a/src/core/crypto/key_manager.cpp
+++ b/src/core/crypto/key_manager.cpp
@@ -12,11 +12,105 @@
 #include "common/file_util.h"
 #include "common/hex_util.h"
 #include "common/logging/log.h"
+#include "core/crypto/aes_util.h"
 #include "core/crypto/key_manager.h"
 #include "core/settings.h"
 
 namespace Core::Crypto {
 
+Key128 GenerateKeyEncryptionKey(Key128 source, Key128 master, Key128 kek_seed, Key128 key_seed) {
+    Key128 out{};
+
+    AESCipher<Key128> cipher1(master, Mode::ECB);
+    cipher1.Transcode(kek_seed.data(), kek_seed.size(), out.data(), Op::Decrypt);
+    AESCipher<Key128> cipher2(out, Mode::ECB);
+    cipher2.Transcode(source.data(), source.size(), out.data(), Op::Decrypt);
+
+    if (key_seed != Key128{}) {
+        AESCipher<Key128> cipher3(out, Mode::ECB);
+        cipher3.Transcode(key_seed.data(), key_seed.size(), out.data(), Op::Decrypt);
+    }
+
+    return out;
+}
+
+boost::optional<Key128> DeriveSDSeed() {
+    const FileUtil::IOFile save_43(FileUtil::GetUserPath(FileUtil::UserPath::NANDDir) +
+                                       "/system/save/8000000000000043",
+                                   "rb+");
+    if (!save_43.IsOpen())
+        return boost::none;
+    const FileUtil::IOFile sd_private(
+        FileUtil::GetUserPath(FileUtil::UserPath::SDMCDir) + "/Nintendo/Contents/private", "rb+");
+    if (!sd_private.IsOpen())
+        return boost::none;
+
+    sd_private.Seek(0, SEEK_SET);
+    std::array<u8, 0x10> private_seed{};
+    if (sd_private.ReadBytes(private_seed.data(), private_seed.size()) != 0x10)
+        return boost::none;
+
+    std::array<u8, 0x10> buffer{};
+    size_t offset = 0;
+    for (; offset + 0x10 < save_43.GetSize(); ++offset) {
+        save_43.Seek(offset, SEEK_SET);
+        save_43.ReadBytes(buffer.data(), buffer.size());
+        if (buffer == private_seed)
+            break;
+    }
+
+    if (offset + 0x10 >= save_43.GetSize())
+        return boost::none;
+
+    Key128 seed{};
+    save_43.Seek(offset + 0x10, SEEK_SET);
+    save_43.ReadBytes(seed.data(), seed.size());
+    return seed;
+}
+
+Loader::ResultStatus DeriveSDKeys(std::array<Key256, 2>& sd_keys, const KeyManager& keys) {
+    if (!keys.HasKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::SDKEK)))
+        return Loader::ResultStatus::ErrorMissingSDKEKSource;
+    if (!keys.HasKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKEKGeneration)))
+        return Loader::ResultStatus::ErrorMissingAESKEKGenerationSource;
+    if (!keys.HasKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKeyGeneration)))
+        return Loader::ResultStatus::ErrorMissingAESKeyGenerationSource;
+
+    const auto sd_kek_source =
+        keys.GetKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::SDKEK));
+    const auto aes_kek_gen =
+        keys.GetKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKEKGeneration));
+    const auto aes_key_gen =
+        keys.GetKey(S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKeyGeneration));
+    const auto master_00 = keys.GetKey(S128KeyType::Master);
+    const auto sd_kek =
+        GenerateKeyEncryptionKey(sd_kek_source, master_00, aes_kek_gen, aes_key_gen);
+
+    if (!keys.HasKey(S128KeyType::SDSeed))
+        return Loader::ResultStatus::ErrorMissingSDSeed;
+    const auto sd_seed = keys.GetKey(S128KeyType::SDSeed);
+
+    if (!keys.HasKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::Save)))
+        return Loader::ResultStatus::ErrorMissingSDSaveKeySource;
+    if (!keys.HasKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::NCA)))
+        return Loader::ResultStatus::ErrorMissingSDNCAKeySource;
+
+    std::array<Key256, 2> sd_key_sources{
+        keys.GetKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::Save)),
+        keys.GetKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::NCA)),
+    };
+
+    AESCipher<Key128> cipher(sd_kek, Mode::ECB);
+    for (size_t i = 0; i < 2; ++i) {
+        for (size_t j = 0; j < 0x20; ++j)
+            sd_key_sources[i][j] ^= sd_seed[j & 0xF];
+        cipher.Transcode(sd_key_sources[i].data(), sd_key_sources[i].size(), sd_keys[i].data(),
+                         Op::Decrypt);
+    }
+
+    return Loader::ResultStatus::Success;
+}
+
 KeyManager::KeyManager() {
     // Initialize keys
     const std::string hactool_keys_dir = FileUtil::GetHactoolConfigurationPath();
@@ -24,12 +118,15 @@ KeyManager::KeyManager() {
     if (Settings::values.use_dev_keys) {
         dev_mode = true;
         AttemptLoadKeyFile(yuzu_keys_dir, hactool_keys_dir, "dev.keys", false);
+        AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, "dev.keys_autogenerated", false);
     } else {
         dev_mode = false;
         AttemptLoadKeyFile(yuzu_keys_dir, hactool_keys_dir, "prod.keys", false);
+        AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, "prod.keys_autogenerated", false);
     }
 
     AttemptLoadKeyFile(yuzu_keys_dir, hactool_keys_dir, "title.keys", true);
+    AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, "title.keys_autogenerated", false);
 }
 
 void KeyManager::LoadFromFile(const std::string& filename, bool is_title_keys) {
@@ -126,6 +223,13 @@ bool KeyManager::KeyFileExists(bool title) {
 }
 
 void KeyManager::DeriveSDSeedLazy() {
+    if (!HasKey(S128KeyType::SDSeed)) {
+        const auto res = DeriveSDSeed();
+        if (res != boost::none)
+            SetKey(S128KeyType::SDSeed, res.get());
+    }
+}
+
 const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> KeyManager::s128_file_id = {
     {"master_key_00", {S128KeyType::Master, 0, 0}},
     {"master_key_01", {S128KeyType::Master, 1, 0}},
@@ -168,11 +272,17 @@ const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> KeyManager:
     {"key_area_key_system_02", {S128KeyType::KeyArea, 2, static_cast<u64>(KeyAreaKeyType::System)}},
     {"key_area_key_system_03", {S128KeyType::KeyArea, 3, static_cast<u64>(KeyAreaKeyType::System)}},
     {"key_area_key_system_04", {S128KeyType::KeyArea, 4, static_cast<u64>(KeyAreaKeyType::System)}},
+    {"sd_card_kek_source", {S128KeyType::Source, static_cast<u64>(SourceKeyType::SDKEK), 0}},
+    {"aes_kek_generation_source",
+     {S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKEKGeneration), 0}},
+    {"aes_key_generation_source",
+     {S128KeyType::Source, static_cast<u64>(SourceKeyType::AESKeyGeneration), 0}},
+    {"sd_seed", {S128KeyType::SDSeed, 0, 0}},
 };
 
 const boost::container::flat_map<std::string, KeyIndex<S256KeyType>> KeyManager::s256_file_id = {
     {"header_key", {S256KeyType::Header, 0, 0}},
-    {"sd_card_save_key", {S256KeyType::SDSave, 0, 0}},
-    {"sd_card_nca_key", {S256KeyType::SDNCA, 0, 0}},
+    {"sd_card_save_key_source", {S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::Save), 0}},
+    {"sd_card_nca_key_source", {S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::NCA), 0}},
 };
 } // namespace Core::Crypto
diff --git a/src/core/crypto/key_manager.h b/src/core/crypto/key_manager.h
index 33b1ad383..31040dc55 100644
--- a/src/core/crypto/key_manager.h
+++ b/src/core/crypto/key_manager.h
@@ -23,9 +23,8 @@ static_assert(sizeof(Key128) == 16, "Key128 must be 128 bytes big.");
 static_assert(sizeof(Key256) == 32, "Key128 must be 128 bytes big.");
 
 enum class S256KeyType : u64 {
-    Header, //
-    SDSave, //
-    SDNCA,  //
+    Header,      //
+    SDKeySource, // f1=SDKeyType
 };
 
 enum class S128KeyType : u64 {
@@ -37,6 +36,7 @@ enum class S128KeyType : u64 {
     KeyArea,       // f1=crypto revision f2=type {app, ocean, system}
     SDSeed,        //
     Titlekey,      // f1=rights id LSB f2=rights id MSB
+    Source,        // f1=source type, f2= sub id
 };
 
 enum class KeyAreaKeyType : u8 {
@@ -45,6 +45,17 @@ enum class KeyAreaKeyType : u8 {
     System,
 };
 
+enum class SourceKeyType : u8 {
+    SDKEK,
+    AESKEKGeneration,
+    AESKeyGeneration,
+};
+
+enum class SDKeyType : u8 {
+    Save,
+    NCA,
+};
+
 template <typename KeyType>
 struct KeyIndex {
     KeyType type;
@@ -83,6 +94,10 @@ public:
 
     static bool KeyFileExists(bool title);
 
+    // Call before using the sd seed to attempt to derive it if it dosen't exist. Needs system save
+    // 8*43 and the private file to exist.
+    void DeriveSDSeedLazy();
+
 private:
     boost::container::flat_map<KeyIndex<S128KeyType>, Key128> s128_keys;
     boost::container::flat_map<KeyIndex<S256KeyType>, Key256> s256_keys;
@@ -95,4 +110,9 @@ private:
     static const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> s128_file_id;
     static const boost::container::flat_map<std::string, KeyIndex<S256KeyType>> s256_file_id;
 };
+
+Key128 GenerateKeyEncryptionKey(Key128 source, Key128 master, Key128 kek_seed, Key128 key_seed);
+boost::optional<Key128> DeriveSDSeed();
+Loader::ResultStatus DeriveSDKeys(std::array<Key256, 2>& sd_keys, const KeyManager& keys);
+
 } // namespace Core::Crypto
-- 
cgit v1.2.3


From 61a5b56abde4a87e1e66c76b506bdd4dada58389 Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Thu, 16 Aug 2018 17:12:31 -0400
Subject: key_manager: Add support for autogenerated keys Stored in a separate
 file than manual keys.

---
 src/core/crypto/key_manager.cpp | 46 ++++++++++++++++++++++++++++++++++++++---
 src/core/crypto/key_manager.h   |  2 ++
 2 files changed, 45 insertions(+), 3 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/key_manager.cpp b/src/core/crypto/key_manager.cpp
index e4b33f750..994ac4eec 100644
--- a/src/core/crypto/key_manager.cpp
+++ b/src/core/crypto/key_manager.cpp
@@ -153,17 +153,17 @@ void KeyManager::LoadFromFile(const std::string& filename, bool is_title_keys) {
             u128 rights_id{};
             std::memcpy(rights_id.data(), rights_id_raw.data(), rights_id_raw.size());
             Key128 key = Common::HexStringToArray<16>(out[1]);
-            SetKey(S128KeyType::Titlekey, key, rights_id[1], rights_id[0]);
+            s128_keys[{S128KeyType::Titlekey, rights_id[1], rights_id[0]}] = key;
         } else {
             std::transform(out[0].begin(), out[0].end(), out[0].begin(), ::tolower);
             if (s128_file_id.find(out[0]) != s128_file_id.end()) {
                 const auto index = s128_file_id.at(out[0]);
                 Key128 key = Common::HexStringToArray<16>(out[1]);
-                SetKey(index.type, key, index.field1, index.field2);
+                s128_keys[{index.type, index.field1, index.field2}] = key;
             } else if (s256_file_id.find(out[0]) != s256_file_id.end()) {
                 const auto index = s256_file_id.at(out[0]);
                 Key256 key = Common::HexStringToArray<32>(out[1]);
-                SetKey(index.type, key, index.field1, index.field2);
+                s256_keys[{index.type, index.field1, index.field2}] = key;
             }
         }
     }
@@ -197,11 +197,51 @@ Key256 KeyManager::GetKey(S256KeyType id, u64 field1, u64 field2) const {
     return s256_keys.at({id, field1, field2});
 }
 
+template <size_t Size>
+void KeyManager::WriteKeyToFile(bool title_key, std::string_view keyname,
+                                std::array<u8, Size> key) {
+    const std::string yuzu_keys_dir = FileUtil::GetUserPath(FileUtil::UserPath::KeysDir);
+    std::string filename = "title.keys_autogenerated";
+    if (!title_key)
+        filename = dev_mode ? "dev.keys_autogenerated" : "prod.keys_autogenerated";
+    const auto add_info_text = !FileUtil::Exists(yuzu_keys_dir + DIR_SEP + filename);
+    std::ofstream file(yuzu_keys_dir + DIR_SEP + filename, std::ios::app);
+    if (!file.is_open())
+        return;
+    if (add_info_text) {
+        file << "# This file is autogenerated by Yuzu" << std::endl
+             << "# It serves to store keys that were automatically generated from the normal keys"
+             << std::endl
+             << "# If you are experiencing issues involving keys, it may help to delete this file"
+             << std::endl;
+    }
+
+    file << std::endl
+         << fmt::format("{} = {}", keyname, Common::HexArrayToString(key)) << std::endl;
+    AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, filename, title_key);
+}
+
 void KeyManager::SetKey(S128KeyType id, Key128 key, u64 field1, u64 field2) {
+    const auto iter = std::find_if(
+        s128_file_id.begin(), s128_file_id.end(),
+        [&id, &field1, &field2](const std::pair<std::string, KeyIndex<S128KeyType>> elem) {
+            return std::tie(elem.second.type, elem.second.field1, elem.second.field2) ==
+                   std::tie(id, field1, field2);
+        });
+    if (iter != s128_file_id.end())
+        WriteKeyToFile(id == S128KeyType::Titlekey, iter->first, key);
     s128_keys[{id, field1, field2}] = key;
 }
 
 void KeyManager::SetKey(S256KeyType id, Key256 key, u64 field1, u64 field2) {
+    const auto iter = std::find_if(
+        s256_file_id.begin(), s256_file_id.end(),
+        [&id, &field1, &field2](const std::pair<std::string, KeyIndex<S256KeyType>> elem) {
+            return std::tie(elem.second.type, elem.second.field1, elem.second.field2) ==
+                   std::tie(id, field1, field2);
+        });
+    if (iter != s256_file_id.end())
+        WriteKeyToFile(false, iter->first, key);
     s256_keys[{id, field1, field2}] = key;
 }
 
diff --git a/src/core/crypto/key_manager.h b/src/core/crypto/key_manager.h
index 31040dc55..78d0b64e0 100644
--- a/src/core/crypto/key_manager.h
+++ b/src/core/crypto/key_manager.h
@@ -106,6 +106,8 @@ private:
     void LoadFromFile(const std::string& filename, bool is_title_keys);
     void AttemptLoadKeyFile(const std::string& dir1, const std::string& dir2,
                             const std::string& filename, bool title);
+    template <size_t Size>
+    void WriteKeyToFile(bool title_key, std::string_view keyname, std::array<u8, Size> key);
 
     static const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> s128_file_id;
     static const boost::container::flat_map<std::string, KeyIndex<S256KeyType>> s256_file_id;
-- 
cgit v1.2.3


From 42dc856ce136c75f587649863ec5bd936ba8b07a Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Sat, 18 Aug 2018 21:14:57 -0400
Subject: crypto: Eliminate magic constants

---
 src/core/crypto/key_manager.cpp          |  2 +-
 src/core/crypto/xts_encryption_layer.cpp | 33 +++++++++++++++++---------------
 2 files changed, 19 insertions(+), 16 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/key_manager.cpp b/src/core/crypto/key_manager.cpp
index 994ac4eec..acf635a65 100644
--- a/src/core/crypto/key_manager.cpp
+++ b/src/core/crypto/key_manager.cpp
@@ -102,7 +102,7 @@ Loader::ResultStatus DeriveSDKeys(std::array<Key256, 2>& sd_keys, const KeyManag
 
     AESCipher<Key128> cipher(sd_kek, Mode::ECB);
     for (size_t i = 0; i < 2; ++i) {
-        for (size_t j = 0; j < 0x20; ++j)
+        for (size_t j = 0; j < sd_key_sources[i].size(); ++j)
             sd_key_sources[i][j] ^= sd_seed[j & 0xF];
         cipher.Transcode(sd_key_sources[i].data(), sd_key_sources[i].size(), sd_keys[i].data(),
                          Op::Decrypt);
diff --git a/src/core/crypto/xts_encryption_layer.cpp b/src/core/crypto/xts_encryption_layer.cpp
index 431099580..c6e5df1ce 100644
--- a/src/core/crypto/xts_encryption_layer.cpp
+++ b/src/core/crypto/xts_encryption_layer.cpp
@@ -8,6 +8,8 @@
 
 namespace Core::Crypto {
 
+constexpr u64 XTS_SECTOR_SIZE = 0x4000;
+
 XTSEncryptionLayer::XTSEncryptionLayer(FileSys::VirtualFile base_, Key256 key_)
     : EncryptionLayer(std::move(base_)), cipher(key_, Mode::XTS) {}
 
@@ -17,34 +19,35 @@ size_t XTSEncryptionLayer::Read(u8* data, size_t length, size_t offset) const {
 
     const auto sector_offset = offset & 0x3FFF;
     if (sector_offset == 0) {
-        if (length % 0x4000 == 0) {
+        if (length % XTS_SECTOR_SIZE == 0) {
             std::vector<u8> raw = base->ReadBytes(length, offset);
-            cipher.XTSTranscode(raw.data(), raw.size(), data, offset / 0x4000, 0x4000, Op::Decrypt);
+            cipher.XTSTranscode(raw.data(), raw.size(), data, offset / XTS_SECTOR_SIZE,
+                                XTS_SECTOR_SIZE, Op::Decrypt);
             return raw.size();
         }
-        if (length > 0x4000) {
-            const auto rem = length % 0x4000;
+        if (length > XTS_SECTOR_SIZE) {
+            const auto rem = length % XTS_SECTOR_SIZE;
             const auto read = length - rem;
             return Read(data, read, offset) + Read(data + read, rem, offset + read);
         }
-        std::vector<u8> buffer = base->ReadBytes(0x4000, offset);
-        if (buffer.size() < 0x4000)
-            buffer.resize(0x4000);
-        cipher.XTSTranscode(buffer.data(), buffer.size(), buffer.data(), offset / 0x4000, 0x4000,
-                            Op::Decrypt);
+        std::vector<u8> buffer = base->ReadBytes(XTS_SECTOR_SIZE, offset);
+        if (buffer.size() < XTS_SECTOR_SIZE)
+            buffer.resize(XTS_SECTOR_SIZE);
+        cipher.XTSTranscode(buffer.data(), buffer.size(), buffer.data(), offset / XTS_SECTOR_SIZE,
+                            XTS_SECTOR_SIZE, Op::Decrypt);
         std::memcpy(data, buffer.data(), std::min(buffer.size(), length));
         return std::min(buffer.size(), length);
     }
 
     // offset does not fall on block boundary (0x4000)
     std::vector<u8> block = base->ReadBytes(0x4000, offset - sector_offset);
-    if (block.size() < 0x4000)
-        block.resize(0x4000);
-    cipher.XTSTranscode(block.data(), block.size(), block.data(), (offset - sector_offset) / 0x4000,
-                        0x4000, Op::Decrypt);
-    const size_t read = 0x4000 - sector_offset;
+    if (block.size() < XTS_SECTOR_SIZE)
+        block.resize(XTS_SECTOR_SIZE);
+    cipher.XTSTranscode(block.data(), block.size(), block.data(),
+                        (offset - sector_offset) / XTS_SECTOR_SIZE, XTS_SECTOR_SIZE, Op::Decrypt);
+    const size_t read = XTS_SECTOR_SIZE - sector_offset;
 
-    if (length + sector_offset < 0x4000) {
+    if (length + sector_offset < XTS_SECTOR_SIZE) {
         std::memcpy(data, block.data() + sector_offset, std::min<u64>(length, read));
         return std::min<u64>(length, read);
     }
-- 
cgit v1.2.3


From a7e8d10969f280cd5a869b3525c3339357a958a6 Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Sat, 18 Aug 2018 21:16:20 -0400
Subject: file_sys: Cut down on includes and copies

---
 src/core/crypto/key_manager.cpp | 22 +++++++++++-----------
 src/core/crypto/key_manager.h   |  6 ++----
 2 files changed, 13 insertions(+), 15 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/key_manager.cpp b/src/core/crypto/key_manager.cpp
index acf635a65..1cb3fce00 100644
--- a/src/core/crypto/key_manager.cpp
+++ b/src/core/crypto/key_manager.cpp
@@ -199,7 +199,7 @@ Key256 KeyManager::GetKey(S256KeyType id, u64 field1, u64 field2) const {
 
 template <size_t Size>
 void KeyManager::WriteKeyToFile(bool title_key, std::string_view keyname,
-                                std::array<u8, Size> key) {
+                                const std::array<u8, Size>& key) {
     const std::string yuzu_keys_dir = FileUtil::GetUserPath(FileUtil::UserPath::KeysDir);
     std::string filename = "title.keys_autogenerated";
     if (!title_key)
@@ -209,11 +209,10 @@ void KeyManager::WriteKeyToFile(bool title_key, std::string_view keyname,
     if (!file.is_open())
         return;
     if (add_info_text) {
-        file << "# This file is autogenerated by Yuzu" << std::endl
-             << "# It serves to store keys that were automatically generated from the normal keys"
-             << std::endl
-             << "# If you are experiencing issues involving keys, it may help to delete this file"
-             << std::endl;
+        file
+            << "# This file is autogenerated by Yuzu\n"
+            << "# It serves to store keys that were automatically generated from the normal keys\n"
+            << "# If you are experiencing issues involving keys, it may help to delete this file\n";
     }
 
     file << std::endl
@@ -263,11 +262,12 @@ bool KeyManager::KeyFileExists(bool title) {
 }
 
 void KeyManager::DeriveSDSeedLazy() {
-    if (!HasKey(S128KeyType::SDSeed)) {
-        const auto res = DeriveSDSeed();
-        if (res != boost::none)
-            SetKey(S128KeyType::SDSeed, res.get());
-    }
+    if (HasKey(S128KeyType::SDSeed))
+        return;
+
+    const auto res = DeriveSDSeed();
+    if (res != boost::none)
+        SetKey(S128KeyType::SDSeed, res.get());
 }
 
 const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> KeyManager::s128_file_id = {
diff --git a/src/core/crypto/key_manager.h b/src/core/crypto/key_manager.h
index 78d0b64e0..7a8728f76 100644
--- a/src/core/crypto/key_manager.h
+++ b/src/core/crypto/key_manager.h
@@ -74,9 +74,7 @@ struct KeyIndex {
 // boost flat_map requires operator< for O(log(n)) lookups.
 template <typename KeyType>
 bool operator<(const KeyIndex<KeyType>& lhs, const KeyIndex<KeyType>& rhs) {
-    return (static_cast<size_t>(lhs.type) < static_cast<size_t>(rhs.type)) ||
-           (lhs.type == rhs.type && lhs.field1 < rhs.field1) ||
-           (lhs.type == rhs.type && lhs.field1 == rhs.field1 && lhs.field2 < rhs.field2);
+    return std::tie(lhs.type, lhs.field1, lhs.field2) < std::tie(rhs.type, rhs.field1, rhs.field2);
 }
 
 class KeyManager {
@@ -107,7 +105,7 @@ private:
     void AttemptLoadKeyFile(const std::string& dir1, const std::string& dir2,
                             const std::string& filename, bool title);
     template <size_t Size>
-    void WriteKeyToFile(bool title_key, std::string_view keyname, std::array<u8, Size> key);
+    void WriteKeyToFile(bool title_key, std::string_view keyname, const std::array<u8, Size>& key);
 
     static const boost::container::flat_map<std::string, KeyIndex<S128KeyType>> s128_file_id;
     static const boost::container::flat_map<std::string, KeyIndex<S256KeyType>> s256_file_id;
-- 
cgit v1.2.3


From 119ab308b551da889782420aeff088aff0d4882e Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Tue, 21 Aug 2018 15:04:03 -0400
Subject: key_manager: Create keys dir if it dosen't exist On call to
 WriteKeyToFile, so that the autogenerated file can be written.

---
 src/core/crypto/key_manager.cpp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/key_manager.cpp b/src/core/crypto/key_manager.cpp
index 1cb3fce00..daa779434 100644
--- a/src/core/crypto/key_manager.cpp
+++ b/src/core/crypto/key_manager.cpp
@@ -205,6 +205,7 @@ void KeyManager::WriteKeyToFile(bool title_key, std::string_view keyname,
     if (!title_key)
         filename = dev_mode ? "dev.keys_autogenerated" : "prod.keys_autogenerated";
     const auto add_info_text = !FileUtil::Exists(yuzu_keys_dir + DIR_SEP + filename);
+    FileUtil::CreateFullPath(yuzu_keys_dir + DIR_SEP + filename);
     std::ofstream file(yuzu_keys_dir + DIR_SEP + filename, std::ios::app);
     if (!file.is_open())
         return;
-- 
cgit v1.2.3


From ccfd17638211140b97cbf43b8486a80221f47c9d Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Tue, 21 Aug 2018 21:12:53 -0400
Subject: key_manager: Eliminate indexed for loop

---
 src/core/crypto/key_manager.cpp | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/key_manager.cpp b/src/core/crypto/key_manager.cpp
index daa779434..0b14bf15c 100644
--- a/src/core/crypto/key_manager.cpp
+++ b/src/core/crypto/key_manager.cpp
@@ -100,14 +100,21 @@ Loader::ResultStatus DeriveSDKeys(std::array<Key256, 2>& sd_keys, const KeyManag
         keys.GetKey(S256KeyType::SDKeySource, static_cast<u64>(SDKeyType::NCA)),
     };
 
-    AESCipher<Key128> cipher(sd_kek, Mode::ECB);
-    for (size_t i = 0; i < 2; ++i) {
-        for (size_t j = 0; j < sd_key_sources[i].size(); ++j)
-            sd_key_sources[i][j] ^= sd_seed[j & 0xF];
-        cipher.Transcode(sd_key_sources[i].data(), sd_key_sources[i].size(), sd_keys[i].data(),
-                         Op::Decrypt);
+    // Combine sources and seed
+    for (auto& source : sd_key_sources) {
+        for (size_t i = 0; i < source.size(); ++i)
+            source[i] ^= sd_seed[i & 0xF];
     }
 
+    AESCipher<Key128> cipher(sd_kek, Mode::ECB);
+    // The transform manipulates sd_keys as part of the Transcode, so the return/output is
+    // unnecessary. This does not alter sd_keys_sources.
+    std::transform(sd_key_sources.begin(), sd_key_sources.end(), sd_keys.begin(),
+                   sd_key_sources.begin(), [&cipher](const Key256& source, Key256& out) {
+                       cipher.Transcode(source.data(), source.size(), out.data(), Op::Decrypt);
+                       return source; ///< Return unaltered source to satisfy output requirement.
+                   });
+
     return Loader::ResultStatus::Success;
 }
 
-- 
cgit v1.2.3


From 6314a799aa7e20789562d2e877949dfebb6194ce Mon Sep 17 00:00:00 2001
From: Zach Hilman <zachhilman@gmail.com>
Date: Fri, 24 Aug 2018 22:15:32 -0400
Subject: file_sys/crypto: Fix missing/unnecessary includes

---
 src/core/crypto/key_manager.cpp          | 5 ++---
 src/core/crypto/key_manager.h            | 1 +
 src/core/crypto/xts_encryption_layer.cpp | 1 +
 src/core/crypto/xts_encryption_layer.h   | 1 -
 4 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/core/crypto')

diff --git a/src/core/crypto/key_manager.cpp b/src/core/crypto/key_manager.cpp
index 0b14bf15c..0b6c07de8 100644
--- a/src/core/crypto/key_manager.cpp
+++ b/src/core/crypto/key_manager.cpp
@@ -133,7 +133,7 @@ KeyManager::KeyManager() {
     }
 
     AttemptLoadKeyFile(yuzu_keys_dir, hactool_keys_dir, "title.keys", true);
-    AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, "title.keys_autogenerated", false);
+    AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, "title.keys_autogenerated", true);
 }
 
 void KeyManager::LoadFromFile(const std::string& filename, bool is_title_keys) {
@@ -223,8 +223,7 @@ void KeyManager::WriteKeyToFile(bool title_key, std::string_view keyname,
             << "# If you are experiencing issues involving keys, it may help to delete this file\n";
     }
 
-    file << std::endl
-         << fmt::format("{} = {}", keyname, Common::HexArrayToString(key)) << std::endl;
+    file << fmt::format("\n{} = {}", keyname, Common::HexArrayToString(key));
     AttemptLoadKeyFile(yuzu_keys_dir, yuzu_keys_dir, filename, title_key);
 }
 
diff --git a/src/core/crypto/key_manager.h b/src/core/crypto/key_manager.h
index 7a8728f76..7ca3e6cbc 100644
--- a/src/core/crypto/key_manager.h
+++ b/src/core/crypto/key_manager.h
@@ -6,6 +6,7 @@
 
 #include <array>
 #include <string>
+#include <string_view>
 #include <type_traits>
 #include <vector>
 #include <boost/container/flat_map.hpp>
diff --git a/src/core/crypto/xts_encryption_layer.cpp b/src/core/crypto/xts_encryption_layer.cpp
index c6e5df1ce..c10832cfe 100644
--- a/src/core/crypto/xts_encryption_layer.cpp
+++ b/src/core/crypto/xts_encryption_layer.cpp
@@ -2,6 +2,7 @@
 // Licensed under GPLv2 or any later version
 // Refer to the license.txt file included.
 
+#include <algorithm>
 #include <cstring>
 #include "common/assert.h"
 #include "core/crypto/xts_encryption_layer.h"
diff --git a/src/core/crypto/xts_encryption_layer.h b/src/core/crypto/xts_encryption_layer.h
index 1e1acaf4a..7a1f1dc64 100644
--- a/src/core/crypto/xts_encryption_layer.h
+++ b/src/core/crypto/xts_encryption_layer.h
@@ -4,7 +4,6 @@
 
 #pragma once
 
-#include <vector>
 #include "core/crypto/aes_util.h"
 #include "core/crypto/encryption_layer.h"
 #include "core/crypto/key_manager.h"
-- 
cgit v1.2.3