OEMCrypto_ReassociateEntitledKeySession() to check key policy

OEMCrypto_ReassociateEntitledKeySession() should prevent an entitled key
session from being associated to an arbitrary entitlement session.
Validations added/updated in this CL:
1. at least one entitled key is supposed to have matching entitlement
key in the new session;
2. the key control block in the new entitlement key should remain
   unchanged compared to the existing entitlement key.

Updated OPK and ref/testbed implementations.

Test: jenkins/opk_ta, jenkins/run_fake_l1_tests
Bug: 262795590
Merged from https://widevine-internal-review.googlesource.com/171192

Change-Id: I3868aa0d3c5ffb818ed83b9c49313125803939e0

libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp

@@ -996,6 +996,21 @@ TEST_P(OEMCryptoEntitlementLicenseTest, ReassociateEntitledKeySessionAPI17) {
   ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_ReassociateEntitledKeySession(
                                    key_session_id, session_.session_id()));
   ASSERT_NO_FATAL_FAILURE(entitled_message.LoadKeys(true));
+
+  // session3 has unmatched key policies
+  Session session3;
+  ASSERT_NO_FATAL_FAILURE(session3.open());
+  ASSERT_NO_FATAL_FAILURE(InstallTestDrmKey(&session3));
+  LicenseRoundTrip license_messages3(&session3);
+  license_messages3.set_license_type(OEMCrypto_EntitlementLicense);
+  license_messages3.set_control(license_messages_.control() + 1);
+  ASSERT_NO_FATAL_FAILURE(license_messages3.SignAndVerifyRequest());
+  ASSERT_NO_FATAL_FAILURE(license_messages3.CreateDefaultResponse());
+  ASSERT_NO_FATAL_FAILURE(license_messages3.EncryptAndSignResponse());
+  ASSERT_EQ(OEMCrypto_SUCCESS, license_messages3.LoadResponse());
+  // Re-associating to session3 should fail.
+  EXPECT_NE(OEMCrypto_SUCCESS, OEMCrypto_ReassociateEntitledKeySession(
+                                   key_session_id, session3.session_id()));
 }
 
 /// @}