From 5a09ba7255dc4428137bd2f51fb1bb197ef36957 Mon Sep 17 00:00:00 2001
From: Liam <byteslice@airmail.cc>
Date: Mon, 28 Aug 2023 22:22:00 -0400
Subject: vfs: ensure key area keys are validated

---
 src/core/file_sys/content_archive.cpp | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/core/file_sys/content_archive.cpp b/src/core/file_sys/content_archive.cpp
index 44e6852fe..7d2f0abb8 100644
--- a/src/core/file_sys/content_archive.cpp
+++ b/src/core/file_sys/content_archive.cpp
@@ -22,6 +22,10 @@
 
 namespace FileSys {
 
+static u8 MasterKeyIdForKeyGeneration(u8 key_generation) {
+    return std::max<u8>(key_generation, 1) - 1;
+}
+
 NCA::NCA(VirtualFile file_, const NCA* base_nca)
     : file(std::move(file_)), keys{Core::Crypto::KeyManager::Instance()} {
     if (file == nullptr) {
@@ -41,12 +45,17 @@ NCA::NCA(VirtualFile file_, const NCA* base_nca)
         return;
     }
 
+    // Ensure we have the proper key area keys to continue.
+    const u8 master_key_id = MasterKeyIdForKeyGeneration(reader->GetKeyGeneration());
+    if (!keys.HasKey(Core::Crypto::S128KeyType::KeyArea, master_key_id, reader->GetKeyIndex())) {
+        status = Loader::ResultStatus::ErrorMissingKeyAreaKey;
+        return;
+    }
+
     RightsId rights_id{};
     reader->GetRightsId(rights_id.data(), rights_id.size());
     if (rights_id != RightsId{}) {
         // External decryption key required; provide it here.
-        const auto key_generation = std::max<s32>(reader->GetKeyGeneration(), 1) - 1;
-
         u128 rights_id_u128;
         std::memcpy(rights_id_u128.data(), rights_id.data(), sizeof(rights_id));
 
@@ -57,12 +66,12 @@ NCA::NCA(VirtualFile file_, const NCA* base_nca)
             return;
         }
 
-        if (!keys.HasKey(Core::Crypto::S128KeyType::Titlekek, key_generation)) {
+        if (!keys.HasKey(Core::Crypto::S128KeyType::Titlekek, master_key_id)) {
             status = Loader::ResultStatus::ErrorMissingTitlekek;
             return;
         }
 
-        auto titlekek = keys.GetKey(Core::Crypto::S128KeyType::Titlekek, key_generation);
+        auto titlekek = keys.GetKey(Core::Crypto::S128KeyType::Titlekek, master_key_id);
         Core::Crypto::AESCipher<Core::Crypto::Key128> cipher(titlekek, Core::Crypto::Mode::ECB);
         cipher.Transcode(titlekey.data(), titlekey.size(), titlekey.data(),
                          Core::Crypto::Op::Decrypt);
-- 
cgit v1.2.3