drms.c

Revision e903b2ff7df4f6694813bc1a6946d860d699f437, 61.3 kB (checked in by Pierre d'Herbemont <pdherbemont@videolan.org>, 2 months ago)

mp4: Fix a leak.

Spotted by LLVM/Clang Static Analyzer.

Property mode set to 100644

Line
1	/*****************************************************************************
2	* drms.c: DRMS
3	*****************************************************************************
4	* Copyright (C) 2004 the VideoLAN team
5	* $Id$
6	*
7	* Authors: Jon Lech Johansen <jon-vl@nanocrew.net>
8	* Sam Hocevar <sam@zoy.org>
9	*
10	* This program is free software; you can redistribute it and/or modify
11	* it under the terms of the GNU General Public License as published by
12	* the Free Software Foundation; either version 2 of the License, or
13	* (at your option) any later version.
14	*
15	* This program is distributed in the hope that it will be useful,
16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	* GNU General Public License for more details.
19	*
20	* You should have received a copy of the GNU General Public License
21	* along with this program; if not, write to the Free Software
22	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
23	*****************************************************************************/
24
25	#ifdef __LIBVLC__
26	#ifdef HAVE_CONFIG_H
27	# include "config.h"
28	#endif
29
30	# include <vlc_common.h>
31	# include <vlc_md5.h>
32	# include "libmp4.h"
33	# include <vlc_charset.h>
34	#else
35	# include "drmsvl.h"
36	#endif
37
38	#ifdef WIN32
39	# include <io.h>
40	#else
41	# include <stdio.h>
42	#endif
43
44	#ifdef HAVE_ERRNO_H
45	# include <errno.h>
46	#endif
47
48	#ifdef WIN32
49	# if !defined( UNDER_CE )
50	# include <direct.h>
51	# endif
52	# include <tchar.h>
53	# include <shlobj.h>
54	# include <windows.h>
55	#endif
56
57	#ifdef HAVE_SYS_STAT_H
58	# include <sys/stat.h>
59	#endif
60	#ifdef HAVE_SYS_TYPES_H
61	# include <sys/types.h>
62	#endif
63
64	/ In Solaris (and perhaps others) PATH_MAX is in limits.h. /
65	#include <limits.h>
66
67	#ifdef __APPLE__
68	# include <mach/mach.h>
69	# include <IOKit/IOKitLib.h>
70	# include <CoreFoundation/CFNumber.h>
71	#endif
72
73	#ifdef HAVE_SYSFS_LIBSYSFS_H
74	# include <sysfs/libsysfs.h>
75	#endif
76
77	#include "drms.h"
78	#include "drmstables.h"
79
80	#if !defined( UNDER_CE )
81	/*****************************************************************************
82	* aes_s: AES keys structure
83	*****************************************************************************
84	* This structure stores a set of keys usable for encryption and decryption
85	* with the AES/Rijndael algorithm.
86	*****************************************************************************/
87	struct aes_s
88	{
89	uint32_t pp_enc_keys[ AES_KEY_COUNT + 1 ][ 4 ];
90	uint32_t pp_dec_keys[ AES_KEY_COUNT + 1 ][ 4 ];
91	};
92
93	#ifdef __LIBVLC__
94	# define Digest DigestMD5
95	#else
96	/*****************************************************************************
97	* md5_s: MD5 message structure
98	*****************************************************************************
99	* This structure stores the static information needed to compute an MD5
100	* hash. It has an extra data buffer to allow non-aligned writes.
101	*****************************************************************************/
102	struct md5_s
103	{
104	uint64_t i_bits; / Total written bits /
105	uint32_t p_digest[4]; / The MD5 digest /
106	uint32_t p_data[16]; / Buffer to cache non-aligned writes /
107	};
108	#endif
109
110	/*****************************************************************************
111	* shuffle_s: shuffle structure
112	*****************************************************************************
113	* This structure stores the static information needed to shuffle data using
114	* a custom algorithm.
115	*****************************************************************************/
116	struct shuffle_s
117	{
118	uint32_t i_version;
119	uint32_t p_commands[ 20 ];
120	uint32_t p_bordel[ 16 ];
121	};
122
123	#define SWAP( a, b ) { (a) ^= (b); (b) ^= (a); (a) ^= (b); }
124
125	/*****************************************************************************
126	* drms_s: DRMS structure
127	*****************************************************************************
128	* This structure stores the static information needed to decrypt DRMS data.
129	*****************************************************************************/
130	struct drms_s
131	{
132	uint32_t i_user;
133	uint32_t i_key;
134	uint8_t p_iviv[ 16 ];
135	uint8_t *p_name;
136
137	uint32_t p_key[ 4 ];
138	struct aes_s aes;
139
140	char psz_homedir[ PATH_MAX ];
141	};
142
143	/*****************************************************************************
144	* Local prototypes
145	*****************************************************************************/
146	static void InitAES ( struct aes_s , uint32_t );
147	static void DecryptAES ( struct aes_s , uint32_t , const uint32_t * );
148
149	#ifndef __LIBVLC__
150	static void InitMD5 ( struct md5_s * );
151	static void AddMD5 ( struct md5_s , const* uint8_t *, uint32_t );
152	static void EndMD5 ( struct md5_s * );
153	static void Digest ( struct md5_s , uint32_t );
154	#endif
155
156	static void InitShuffle ( struct shuffle_s , uint32_t , uint32_t );
157	static void DoShuffle ( struct shuffle_s , uint32_t , uint32_t );
158
159	static uint32_t FirstPass ( uint32_t * );
160	static void SecondPass ( uint32_t *, uint32_t );
161	static void ThirdPass ( uint32_t * );
162	static void FourthPass ( uint32_t * );
163	static void TinyShuffle1 ( uint32_t * );
164	static void TinyShuffle2 ( uint32_t * );
165	static void TinyShuffle3 ( uint32_t * );
166	static void TinyShuffle4 ( uint32_t * );
167	static void TinyShuffle5 ( uint32_t * );
168	static void TinyShuffle6 ( uint32_t * );
169	static void TinyShuffle7 ( uint32_t * );
170	static void TinyShuffle8 ( uint32_t * );
171	static void DoExtShuffle ( uint32_t * );
172
173	static int GetSystemKey ( uint32_t *, bool );
174	static int WriteUserKey ( void , uint32_t );
175	static int ReadUserKey ( void , uint32_t );
176	static int GetUserKey ( void , uint32_t );
177
178	static int GetSCIData ( char , uint32_t , uint32_t );
179	static int HashSystemInfo ( uint32_t * );
180	static int GetiPodID ( int64_t * );
181
182	#ifdef WORDS_BIGENDIAN
183	/*****************************************************************************
184	* Reverse: reverse byte order
185	*****************************************************************************/
186	static inline void Reverse( uint32_t p_buffer, int* n )
187	{
188	int i;
189
190	for( i = 0; i < n; i++ )
191	{
192	p_buffer[ i ] = GetDWLE(&p_buffer[ i ]);
193	}
194	}
195	# define REVERSE( p, n ) Reverse( p, n )
196	#else
197	# define REVERSE( p, n )
198	#endif
199
200	/*****************************************************************************
201	* BlockXOR: XOR two 128 bit blocks
202	*****************************************************************************/
203	static inline void BlockXOR( uint32_t p_dest, uint32_t p_s1, uint32_t *p_s2 )
204	{
205	int i;
206
207	for( i = 0; i < 4; i++ )
208	{
209	p_dest[ i ] = p_s1[ i ] ^ p_s2[ i ];
210	}
211	}
212
213	/*****************************************************************************
214	* drms_alloc: allocate a DRMS structure
215	*****************************************************************************/
216	void *drms_alloc( const char *psz_homedir )
217	{
218	struct drms_s *p_drms;
219
220	p_drms = malloc( sizeof(struct drms_s) );
221
222	if( p_drms == NULL )
223	{
224	return NULL;
225	}
226
227	memset( p_drms, 0, sizeof(struct drms_s) );
228
229	strncpy( p_drms->psz_homedir, psz_homedir, PATH_MAX );
230	p_drms->psz_homedir[ PATH_MAX - 1 ] = '\0';
231
232	return (void *)p_drms;
233	}
234
235	/*****************************************************************************
236	* drms_free: free a previously allocated DRMS structure
237	*****************************************************************************/
238	void drms_free( void *_p_drms )
239	{
240	struct drms_s p_drms = (struct* drms_s *)_p_drms;
241
242	if( p_drms->p_name != NULL )
243	{
244	free( (void *)p_drms->p_name );
245	}
246
247	free( p_drms );
248	}
249
250	/*****************************************************************************
251	* drms_decrypt: unscramble a chunk of data
252	*****************************************************************************/
253	void drms_decrypt( void _p_drms, uint32_t p_buffer, uint32_t i_bytes )
254	{
255	struct drms_s p_drms = (struct* drms_s *)_p_drms;
256	uint32_t p_key[ 4 ];
257	unsigned int i_blocks;
258
259	/ AES is a block cypher, round down the byte count /
260	i_blocks = i_bytes / 16;
261	i_bytes = i_blocks * 16;
262
263	/ Initialise the key /
264	memcpy( p_key, p_drms->p_key, 16 );
265
266	/ Unscramble /
267	while( i_blocks-- )
268	{
269	uint32_t p_tmp[ 4 ];
270
271	REVERSE( p_buffer, 4 );
272	DecryptAES( &p_drms->aes, p_tmp, p_buffer );
273	BlockXOR( p_tmp, p_key, p_tmp );
274
275	/ Use the previous scrambled data as the key for next block /
276	memcpy( p_key, p_buffer, 16 );
277
278	/ Copy unscrambled data back to the buffer /
279	memcpy( p_buffer, p_tmp, 16 );
280	REVERSE( p_buffer, 4 );
281
282	p_buffer += 4;
283	}
284	}
285
286	/*****************************************************************************
287	* drms_init: initialise a DRMS structure
288	*****************************************************************************
289	* Return values:
290	* 0: success
291	* -1: unimplemented
292	* -2: invalid argument
293	* -3: could not get system key
294	* -4: could not get SCI data
295	* -5: no user key found in SCI data
296	* -6: invalid user key
297	*****************************************************************************/
298	int drms_init( void *_p_drms, uint32_t i_type,
299	uint8_t *p_info, uint32_t i_len )
300	{
301	struct drms_s p_drms = (struct* drms_s *)_p_drms;
302	int i_ret = 0;
303
304	switch( i_type )
305	{
306	case FOURCC_user:
307	if( i_len < sizeof(p_drms->i_user) )
308	{
309	i_ret = -2;
310	break;
311	}
312
313	p_drms->i_user = U32_AT( p_info );
314	break;
315
316	case FOURCC_key:
317	if( i_len < sizeof(p_drms->i_key) )
318	{
319	i_ret = -2;
320	break;
321	}
322
323	p_drms->i_key = U32_AT( p_info );
324	break;
325
326	case FOURCC_iviv:
327	if( i_len < sizeof(p_drms->p_key) )
328	{
329	i_ret = -2;
330	break;
331	}
332
333	memcpy( p_drms->p_iviv, p_info, 16 );
334	break;
335
336	case FOURCC_name:
337	p_drms->p_name = (uint8_t) strdup( (char* *)p_info );
338
339	if( p_drms->p_name == NULL )
340	{
341	i_ret = -2;
342	}
343	break;
344
345	case FOURCC_priv:
346	{
347	uint32_t p_priv[ 64 ];
348	struct md5_s md5;
349
350	if( i_len < 64 )
351	{
352	i_ret = -2;
353	break;
354	}
355
356	InitMD5( &md5 );
357	AddMD5( &md5, p_drms->p_name, strlen( (char *)p_drms->p_name ) );
358	AddMD5( &md5, p_drms->p_iviv, 16 );
359	EndMD5( &md5 );
360
361	if( p_drms->i_user == 0 && p_drms->i_key == 0 )
362	{
363	static const char p_secret[] = "tr1-th3n.y00_by3";
364	memcpy( p_drms->p_key, p_secret, 16 );
365	REVERSE( p_drms->p_key, 4 );
366	}
367	else
368	{
369	i_ret = GetUserKey( p_drms, p_drms->p_key );
370	if( i_ret )
371	{
372	break;
373	}
374	}
375
376	InitAES( &p_drms->aes, p_drms->p_key );
377
378	memcpy( p_priv, p_info, 64 );
379	memcpy( p_drms->p_key, md5.p_digest, 16 );
380	drms_decrypt( p_drms, p_priv, 64 );
381	REVERSE( p_priv, 64 );
382
383	if( p_priv[ 0 ] != 0x6e757469 ) / itun /
384	{
385	i_ret = -6;
386	break;
387	}
388
389	InitAES( &p_drms->aes, p_priv + 6 );
390	memcpy( p_drms->p_key, p_priv + 12, 16 );
391
392	free( (void *)p_drms->p_name );
393	p_drms->p_name = NULL;
394	}
395	break;
396	}
397
398	return i_ret;
399	}
400
401	/ The following functions are local /
402
403	/*****************************************************************************
404	* InitAES: initialise AES/Rijndael encryption/decryption tables
405	*****************************************************************************
406	* The Advanced Encryption Standard (AES) is described in RFC 3268
407	*****************************************************************************/
408	static void InitAES( struct aes_s p_aes, uint32_t p_key )
409	{
410	unsigned int i, t;
411	uint32_t i_key, i_seed;
412
413	memset( p_aes->pp_enc_keys[1], 0, 16 );
414	memcpy( p_aes->pp_enc_keys[0], p_key, 16 );
415
416	/ Generate the key tables /
417	i_seed = p_aes->pp_enc_keys[ 0 ][ 3 ];
418
419	for( i_key = 0; i_key < AES_KEY_COUNT; i_key++ )
420	{
421	uint32_t j;
422
423	i_seed = AES_ROR( i_seed, 8 );
424
425	j = p_aes_table[ i_key ];
426
427	j ^= p_aes_encrypt[ (i_seed >> 24) & 0xff ]
428	^ AES_ROR( p_aes_encrypt[ (i_seed >> 16) & 0xff ], 8 )
429	^ AES_ROR( p_aes_encrypt[ (i_seed >> 8) & 0xff ], 16 )
430	^ AES_ROR( p_aes_encrypt[ i_seed & 0xff ], 24 );
431
432	j ^= p_aes->pp_enc_keys[ i_key ][ 0 ];
433	p_aes->pp_enc_keys[ i_key + 1 ][ 0 ] = j;
434	j ^= p_aes->pp_enc_keys[ i_key ][ 1 ];
435	p_aes->pp_enc_keys[ i_key + 1 ][ 1 ] = j;
436	j ^= p_aes->pp_enc_keys[ i_key ][ 2 ];
437	p_aes->pp_enc_keys[ i_key + 1 ][ 2 ] = j;
438	j ^= p_aes->pp_enc_keys[ i_key ][ 3 ];
439	p_aes->pp_enc_keys[ i_key + 1 ][ 3 ] = j;
440
441	i_seed = j;
442	}
443
444	memcpy( p_aes->pp_dec_keys[ 0 ],
445	p_aes->pp_enc_keys[ 0 ], 16 );
446
447	for( i = 1; i < AES_KEY_COUNT; i++ )
448	{
449	for( t = 0; t < 4; t++ )
450	{
451	uint32_t j, k, l, m, n;
452
453	j = p_aes->pp_enc_keys[ i ][ t ];
454
455	k = (((j >> 7) & 0x01010101) * 27) ^ ((j & 0xff7f7f7f) << 1);
456	l = (((k >> 7) & 0x01010101) * 27) ^ ((k & 0xff7f7f7f) << 1);
457	m = (((l >> 7) & 0x01010101) * 27) ^ ((l & 0xff7f7f7f) << 1);
458
459	j ^= m;
460
461	n = AES_ROR( l ^ j, 16 ) ^ AES_ROR( k ^ j, 8 ) ^ AES_ROR( j, 24 );
462
463	p_aes->pp_dec_keys[ i ][ t ] = k ^ l ^ m ^ n;
464	}
465	}
466	}
467
468	/*****************************************************************************
469	* DecryptAES: decrypt an AES/Rijndael 128 bit block
470	*****************************************************************************/
471	static void DecryptAES( struct aes_s *p_aes,
472	uint32_t p_dest, const* uint32_t *p_src )
473	{
474	uint32_t p_wtxt[ 4 ]; / Working cyphertext /
475	uint32_t p_tmp[ 4 ];
476	unsigned int i_round, t;
477
478	for( t = 0; t < 4; t++ )
479	{
480	/ FIXME: are there any endianness issues here? /
481	p_wtxt[ t ] = p_src[ t ] ^ p_aes->pp_enc_keys[ AES_KEY_COUNT ][ t ];
482	}
483
484	/ Rounds 0 - 8 /
485	for( i_round = 0; i_round < (AES_KEY_COUNT - 1); i_round++ )
486	{
487	for( t = 0; t < 4; t++ )
488	{
489	p_tmp[ t ] = AES_XOR_ROR( p_aes_itable, p_wtxt );
490	}
491
492	for( t = 0; t < 4; t++ )
493	{
494	p_wtxt[ t ] = p_tmp[ t ]
495	^ p_aes->pp_dec_keys[ (AES_KEY_COUNT - 1) - i_round ][ t ];
496	}
497	}
498
499	/ Final round (9) /
500	for( t = 0; t < 4; t++ )
501	{
502	p_dest[ t ] = AES_XOR_ROR( p_aes_decrypt, p_wtxt );
503	p_dest[ t ] ^= p_aes->pp_dec_keys[ 0 ][ t ];
504	}
505	}
506
507	#ifndef __LIBVLC__
508	/*****************************************************************************
509	* InitMD5: initialise an MD5 message
510	*****************************************************************************
511	* The MD5 message-digest algorithm is described in RFC 1321
512	*****************************************************************************/
513	static void InitMD5( struct md5_s *p_md5 )
514	{
515	p_md5->p_digest[ 0 ] = 0x67452301;
516	p_md5->p_digest[ 1 ] = 0xefcdab89;
517	p_md5->p_digest[ 2 ] = 0x98badcfe;
518	p_md5->p_digest[ 3 ] = 0x10325476;
519
520	memset( p_md5->p_data, 0, 64 );
521	p_md5->i_bits = 0;
522	}
523
524	/*****************************************************************************
525	* AddMD5: add i_len bytes to an MD5 message
526	*****************************************************************************/
527	static void AddMD5( struct md5_s p_md5, const* uint8_t *p_src, uint32_t i_len )
528	{
529	unsigned int i_current; / Current bytes in the spare buffer /
530	unsigned int i_offset = 0;
531
532	i_current = (p_md5->i_bits / 8) & 63;
533
534	p_md5->i_bits += 8 * i_len;
535
536	/ If we can complete our spare buffer to 64 bytes, do it and add the*
537	* resulting buffer to the MD5 message */
538	if( i_len >= (64 - i_current) )
539	{
540	memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_src,
541	(64 - i_current) );
542	Digest( p_md5, p_md5->p_data );
543
544	i_offset += (64 - i_current);
545	i_len -= (64 - i_current);
546	i_current = 0;
547	}
548
549	/ Add as many entire 64 bytes blocks as we can to the MD5 message /
550	while( i_len >= 64 )
551	{
552	uint32_t p_tmp[ 16 ];
553	memcpy( p_tmp, p_src + i_offset, 64 );
554	Digest( p_md5, p_tmp );
555	i_offset += 64;
556	i_len -= 64;
557	}
558
559	/ Copy our remaining data to the message's spare buffer /
560	memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_src + i_offset, i_len );
561	}
562
563	/*****************************************************************************
564	* EndMD5: finish an MD5 message
565	*****************************************************************************
566	* This function adds adequate padding to the end of the message, and appends
567	* the bit count so that we end at a block boundary.
568	*****************************************************************************/
569	static void EndMD5( struct md5_s *p_md5 )
570	{
571	unsigned int i_current;
572
573	i_current = (p_md5->i_bits / 8) & 63;
574
575	/ Append 0x80 to our buffer. No boundary check because the temporary*
576	* buffer cannot be full, otherwise AddMD5 would have emptied it. */
577	((uint8_t *)p_md5->p_data)[ i_current++ ] = 0x80;
578
579	/ If less than 8 bytes are available at the end of the block, complete*
580	* this 64 bytes block with zeros and add it to the message. We'll add
581	* our length at the end of the next block. */
582	if( i_current > 56 )
583	{
584	memset( ((uint8_t *)p_md5->p_data) + i_current, 0, (64 - i_current) );
585	Digest( p_md5, p_md5->p_data );
586	i_current = 0;
587	}
588
589	/ Fill the unused space in our last block with zeroes and put the*
590	* message length at the end. */
591	memset( ((uint8_t *)p_md5->p_data) + i_current, 0, (56 - i_current) );
592	p_md5->p_data[ 14 ] = p_md5->i_bits & 0xffffffff;
593	p_md5->p_data[ 15 ] = (p_md5->i_bits >> 32);
594	REVERSE( &p_md5->p_data[ 14 ], 2 );
595
596	Digest( p_md5, p_md5->p_data );
597	}
598
599	#define F1( x, y, z ) ((z) ^ ((x) & ((y) ^ (z))))
600	#define F2( x, y, z ) F1((z), (x), (y))
601	#define F3( x, y, z ) ((x) ^ (y) ^ (z))
602	#define F4( x, y, z ) ((y) ^ ((x) \| ~(z)))
603
604	#define MD5_DO( f, w, x, y, z, data, s ) \
605	( w += f(x, y, z) + data, w = w<<s \| w>>(32-s), w += x )
606
607	/*****************************************************************************
608	* Digest: update the MD5 digest with 64 bytes of data
609	*****************************************************************************/
610	static void Digest( struct md5_s p_md5, uint32_t p_input )
611	{
612	uint32_t a, b, c, d;
613
614	REVERSE( p_input, 16 );
615
616	a = p_md5->p_digest[ 0 ];
617	b = p_md5->p_digest[ 1 ];
618	c = p_md5->p_digest[ 2 ];
619	d = p_md5->p_digest[ 3 ];
620
621	MD5_DO( F1, a, b, c, d, p_input[ 0 ] + 0xd76aa478, 7 );
622	MD5_DO( F1, d, a, b, c, p_input[ 1 ] + 0xe8c7b756, 12 );
623	MD5_DO( F1, c, d, a, b, p_input[ 2 ] + 0x242070db, 17 );
624	MD5_DO( F1, b, c, d, a, p_input[ 3 ] + 0xc1bdceee, 22 );
625	MD5_DO( F1, a, b, c, d, p_input[ 4 ] + 0xf57c0faf, 7 );
626	MD5_DO( F1, d, a, b, c, p_input[ 5 ] + 0x4787c62a, 12 );
627	MD5_DO( F1, c, d, a, b, p_input[ 6 ] + 0xa8304613, 17 );
628	MD5_DO( F1, b, c, d, a, p_input[ 7 ] + 0xfd469501, 22 );
629	MD5_DO( F1, a, b, c, d, p_input[ 8 ] + 0x698098d8, 7 );
630	MD5_DO( F1, d, a, b, c, p_input[ 9 ] + 0x8b44f7af, 12 );
631	MD5_DO( F1, c, d, a, b, p_input[ 10 ] + 0xffff5bb1, 17 );
632	MD5_DO( F1, b, c, d, a, p_input[ 11 ] + 0x895cd7be, 22 );
633	MD5_DO( F1, a, b, c, d, p_input[ 12 ] + 0x6b901122, 7 );
634	MD5_DO( F1, d, a, b, c, p_input[ 13 ] + 0xfd987193, 12 );
635	MD5_DO( F1, c, d, a, b, p_input[ 14 ] + 0xa679438e, 17 );
636	MD5_DO( F1, b, c, d, a, p_input[ 15 ] + 0x49b40821, 22 );
637
638	MD5_DO( F2, a, b, c, d, p_input[ 1 ] + 0xf61e2562, 5 );
639	MD5_DO( F2, d, a, b, c, p_input[ 6 ] + 0xc040b340, 9 );
640	MD5_DO( F2, c, d, a, b, p_input[ 11 ] + 0x265e5a51, 14 );
641	MD5_DO( F2, b, c, d, a, p_input[ 0 ] + 0xe9b6c7aa, 20 );
642	MD5_DO( F2, a, b, c, d, p_input[ 5 ] + 0xd62f105d, 5 );
643	MD5_DO( F2, d, a, b, c, p_input[ 10 ] + 0x02441453, 9 );
644	MD5_DO( F2, c, d, a, b, p_input[ 15 ] + 0xd8a1e681, 14 );
645	MD5_DO( F2, b, c, d, a, p_input[ 4 ] + 0xe7d3fbc8, 20 );
646	MD5_DO( F2, a, b, c, d, p_input[ 9 ] + 0x21e1cde6, 5 );
647	MD5_DO( F2, d, a, b, c, p_input[ 14 ] + 0xc33707d6, 9 );
648	MD5_DO( F2, c, d, a, b, p_input[ 3 ] + 0xf4d50d87, 14 );
649	MD5_DO( F2, b, c, d, a, p_input[ 8 ] + 0x455a14ed, 20 );
650	MD5_DO( F2, a, b, c, d, p_input[ 13 ] + 0xa9e3e905, 5 );
651	MD5_DO( F2, d, a, b, c, p_input[ 2 ] + 0xfcefa3f8, 9 );
652	MD5_DO( F2, c, d, a, b, p_input[ 7 ] + 0x676f02d9, 14 );
653	MD5_DO( F2, b, c, d, a, p_input[ 12 ] + 0x8d2a4c8a, 20 );
654
655	MD5_DO( F3, a, b, c, d, p_input[ 5 ] + 0xfffa3942, 4 );
656	MD5_DO( F3, d, a, b, c, p_input[ 8 ] + 0x8771f681, 11 );
657	MD5_DO( F3, c, d, a, b, p_input[ 11 ] + 0x6d9d6122, 16 );
658	MD5_DO( F3, b, c, d, a, p_input[ 14 ] + 0xfde5380c, 23 );
659	MD5_DO( F3, a, b, c, d, p_input[ 1 ] + 0xa4beea44, 4 );
660	MD5_DO( F3, d, a, b, c, p_input[ 4 ] + 0x4bdecfa9, 11 );
661	MD5_DO( F3, c, d, a, b, p_input[ 7 ] + 0xf6bb4b60, 16 );
662	MD5_DO( F3, b, c, d, a, p_input[ 10 ] + 0xbebfbc70, 23 );
663	MD5_DO( F3, a, b, c, d, p_input[ 13 ] + 0x289b7ec6, 4 );
664	MD5_DO( F3, d, a, b, c, p_input[ 0 ] + 0xeaa127fa, 11 );
665	MD5_DO( F3, c, d, a, b, p_input[ 3 ] + 0xd4ef3085, 16 );
666	MD5_DO( F3, b, c, d, a, p_input[ 6 ] + 0x04881d05, 23 );
667	MD5_DO( F3, a, b, c, d, p_input[ 9 ] + 0xd9d4d039, 4 );
668	MD5_DO( F3, d, a, b, c, p_input[ 12 ] + 0xe6db99e5, 11 );
669	MD5_DO( F3, c, d, a, b, p_input[ 15 ] + 0x1fa27cf8, 16 );
670	MD5_DO( F3, b, c, d, a, p_input[ 2 ] + 0xc4ac5665, 23 );
671
672	MD5_DO( F4, a, b, c, d, p_input[ 0 ] + 0xf4292244, 6 );
673	MD5_DO( F4, d, a, b, c, p_input[ 7 ] + 0x432aff97, 10 );
674	MD5_DO( F4, c, d, a, b, p_input[ 14 ] + 0xab9423a7, 15 );
675	MD5_DO( F4, b, c, d, a, p_input[ 5 ] + 0xfc93a039, 21 );
676	MD5_DO( F4, a, b, c, d, p_input[ 12 ] + 0x655b59c3, 6 );
677	MD5_DO( F4, d, a, b, c, p_input[ 3 ] + 0x8f0ccc92, 10 );
678	MD5_DO( F4, c, d, a, b, p_input[ 10 ] + 0xffeff47d, 15 );
679	MD5_DO( F4, b, c, d, a, p_input[ 1 ] + 0x85845dd1, 21 );
680	MD5_DO( F4, a, b, c, d, p_input[ 8 ] + 0x6fa87e4f, 6 );
681	MD5_DO( F4, d, a, b, c, p_input[ 15 ] + 0xfe2ce6e0, 10 );
682	MD5_DO( F4, c, d, a, b, p_input[ 6 ] + 0xa3014314, 15 );
683	MD5_DO( F4, b, c, d, a, p_input[ 13 ] + 0x4e0811a1, 21 );
684	MD5_DO( F4, a, b, c, d, p_input[ 4 ] + 0xf7537e82, 6 );
685	MD5_DO( F4, d, a, b, c, p_input[ 11 ] + 0xbd3af235, 10 );
686	MD5_DO( F4, c, d, a, b, p_input[ 2 ] + 0x2ad7d2bb, 15 );
687	MD5_DO( F4, b, c, d, a, p_input[ 9 ] + 0xeb86d391, 21 );
688
689	p_md5->p_digest[ 0 ] += a;
690	p_md5->p_digest[ 1 ] += b;
691	p_md5->p_digest[ 2 ] += c;
692	p_md5->p_digest[ 3 ] += d;
693	}
694	#endif
695
696	/*****************************************************************************
697	* InitShuffle: initialise a shuffle structure
698	*****************************************************************************
699	* This function initialises tables in the p_shuffle structure that will be
700	* used later by DoShuffle. The only external parameter is p_sys_key.
701	*****************************************************************************/
702	static void InitShuffle( struct shuffle_s p_shuffle, uint32_t p_sys_key,
703	uint32_t i_version )
704	{
705	char p_secret1[] = *"Tv!"**;
706	static const char p_secret2[] = "____v8rhvsaAvOKM____FfUH%798=[;."
707	*"____f8677680a634____ba87fnOIf)("**;
708	unsigned int i;
709
710	p_shuffle->i_version = i_version;
711
712	/ Fill p_commands using the key and a secret seed /
713	for( i = 0; i < 20; i++ )
714	{
715	struct md5_s md5;
716	int32_t i_hash;
717
718	InitMD5( &md5 );
719	AddMD5( &md5, (const uint8_t *)p_sys_key, 16 );
720	AddMD5( &md5, (const uint8_t *)p_secret1, 4 );
721	EndMD5( &md5 );
722
723	p_secret1[ 3 ]++;
724
725	REVERSE( md5.p_digest, 1 );
726	i_hash = ((int32_t)U32_AT(md5.p_digest)) % 1024;
727
728	p_shuffle->p_commands[ i ] = i_hash < 0 ? i_hash * -1 : i_hash;
729	}
730
731	/ Fill p_bordel with completely meaningless initial values. /
732	memcpy( p_shuffle->p_bordel, p_secret2, 64 );
733	for( i = 0; i < 4; i++ )
734	{
735	p_shuffle->p_bordel[ 4 * i ] = U32_AT(p_sys_key + i);
736	REVERSE( p_shuffle->p_bordel + 4 * i + 1, 3 );
737	}
738	}
739
740	/*****************************************************************************
741	* DoShuffle: shuffle buffer
742	*****************************************************************************
743	* This is so ugly and uses so many MD5 checksums that it is most certainly
744	* one-way, though why it needs to be so complicated is beyond me.
745	*****************************************************************************/
746	static void DoShuffle( struct shuffle_s *p_shuffle,
747	uint32_t *p_buffer, uint32_t i_size )
748	{
749	struct md5_s md5;
750	uint32_t p_big_bordel[ 16 ];
751	uint32_t *p_bordel = p_shuffle->p_bordel;
752	unsigned int i;
753
754	static const uint32_t p_secret3[] =
755	{
756	0xAAAAAAAA, 0x01757700, 0x00554580, 0x01724500, 0x00424580,
757	0x01427700, 0x00000080, 0xC1D59D01, 0x80144981, 0x815C8901,
758	0x80544981, 0x81D45D01, 0x00000080, 0x81A3BB03, 0x00A2AA82,
759	0x01A3BB03, 0x0022A282, 0x813BA202, 0x00000080, 0x6D575737,
760	0x4A5275A5, 0x6D525725, 0x4A5254A5, 0x6B725437, 0x00000080,
761	0xD5DDB938, 0x5455A092, 0x5D95A013, 0x4415A192, 0xC5DD393A,
762	0x00000080, 0x55555555
763	};
764	static const uint32_t i_secret3 = sizeof(p_secret3)/sizeof(p_secret3[0]);
765
766	static const char p_secret4[] =
767	"pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq.";
768	static const uint32_t i_secret4 = sizeof(p_secret4)/sizeof(p_secret4[0]); / It include the terminal '\0' /
769
770	/ Using the MD5 hash of a memory block is probably not one-way enough*
771	* for the iTunes people. This function randomises p_bordel depending on
772	* the values in p_commands to make things even more messy in p_bordel. */
773	for( i = 0; i < 20; i++ )
774	{
775	uint8_t i_command, i_index;
776
777	if( !p_shuffle->p_commands[ i ] )
778	{
779	continue;
780	}
781
782	i_command = (p_shuffle->p_commands[ i ] & 0x300) >> 8;
783	i_index = p_shuffle->p_commands[ i ] & 0xff;
784
785	switch( i_command )
786	{
787	case 0x3:
788	p_bordel[ i_index & 0xf ] = p_bordel[ i_index >> 4 ]
789	+ p_bordel[ ((i_index + 0x10) >> 4) & 0xf ];
790	break;
791	case 0x2:
792	p_bordel[ i_index >> 4 ] ^= p_shuffle_xor[ 0xff - i_index ];
793	break;
794	case 0x1:
795	p_bordel[ i_index >> 4 ] -= p_shuffle_sub[ 0xff - i_index ];
796	break;
797	default:
798	p_bordel[ i_index >> 4 ] += p_shuffle_add[ 0xff - i_index ];
799	break;
800	}
801	}
802
803	if( p_shuffle->i_version == 0x01000300 )
804	{
805	DoExtShuffle( p_bordel );
806	}
807
808	/ Convert our newly randomised p_bordel to big endianness and take*
809	* its MD5 hash. */
810	InitMD5( &md5 );
811	for( i = 0; i < 16; i++ )
812	{
813	p_big_bordel[ i ] = U32_AT(p_bordel + i);
814	}
815	AddMD5( &md5, (const uint8_t *)p_big_bordel, 64 );
816	if( p_shuffle->i_version == 0x01000300 )
817	{
818	uint32_t p_tmp3[i_secret3];
819	char p_tmp4[i_secret4];
820
821	memcpy( p_tmp3, p_secret3, sizeof(p_secret3) );
822	REVERSE( p_tmp3, i_secret3 );
823
824	#define ROT13(c) (((c)>='A'&&(c)<='Z')?(((c)-'A'+13)%26)+'A':\
825	((c)>='a'&&(c)<='z')?(((c)-'a'+13)%26)+'a':c)
826	for( uint32_t i = 0; i < i_secret4; i++ )
827	p_tmp4[i] = ROT13( p_secret4[i] );
828	#undef ROT13
829
830	AddMD5( &md5, (const uint8_t )p_tmp3, sizeof*(p_secret3) );
831	AddMD5( &md5, (const uint8_t *)p_tmp4, i_secret4 );
832	}
833	EndMD5( &md5 );
834
835	/ XOR our buffer with the computed checksum /
836	for( i = 0; i < i_size; i++ )
837	{
838	p_buffer[ i ] ^= md5.p_digest[ i ];
839	}
840	}
841
842	/*****************************************************************************
843	* DoExtShuffle: extended shuffle
844	*****************************************************************************
845	* This is even uglier.
846	*****************************************************************************/
847	static void DoExtShuffle( uint32_t * p_bordel )
848	{
849	uint32_t i_ret;
850
851	i_ret = FirstPass( p_bordel );
852
853	SecondPass( p_bordel, i_ret );
854
855	ThirdPass( p_bordel );
856
857	FourthPass( p_bordel );
858	}
859
860	static uint32_t FirstPass( uint32_t * p_bordel )
861	{
862	uint32_t i, i_cmd, i_ret = 5;
863
864	TinyShuffle1( p_bordel );
865
866	for( ; ; )
867	{
868	for( ; ; )
869	{
870	p_bordel[ 1 ] += 0x10000000;
871	p_bordel[ 3 ] += 0x12777;
872
873	if( (p_bordel[ 10 ] & 1) && i_ret )
874	{
875	i_ret--;
876	p_bordel[ 1 ] -= p_bordel[ 2 ];
877	p_bordel[ 11 ] += p_bordel[ 12 ];
878	break;
879	}
880
881	if( (p_bordel[ 1 ] + p_bordel[ 2 ]) >= 0x7D0 )
882	{
883	switch( ((p_bordel[ 3 ] ^ 0x567F) >> 2) & 7 )
884	{
885	case 0:
886	for( i = 0; i < 3; i++ )
887	{
888	if( p_bordel[ i + 10 ] > 0x4E20 )
889	{
890	p_bordel[ i + 1 ] += p_bordel[ i + 2 ];
891	}
892	}
893	break;
894	case 4:
895	p_bordel[ 1 ] -= p_bordel[ 2 ];
896	/ no break /
897	case 3:
898	p_bordel[ 11 ] += p_bordel[ 12 ];
899	break;
900	case 6:
901	p_bordel[ 3 ] ^= p_bordel[ 4 ];
902	/ no break /
903	case 8:
904	p_bordel[ 13 ] &= p_bordel[ 14 ];
905	/ no break /
906	case 1:
907	p_bordel[ 0 ] \|= p_bordel[ 1 ];
908	if( i_ret )
909	{
910	return i_ret;
911	}
912	break;
913	}
914
915	break;
916	}
917	}
918
919	for( i = 0, i_cmd = 0; i < 16; i++ )
920	{
921	if( p_bordel[ i ] < p_bordel[ i_cmd ] )
922	{
923