Update Key Control Verification String

Merge from widevine repo of http://go/wvgerrit/22382 This updates the key control verification string in the haystack, in the reference oemcrypto (mock), and in the oemcrypto unit tests. The unit tests now set the key control block to be kc12 for all licenses if the API is set to version 12. Previously, we only used the more recent verification codes if the key control block used recent features. This should help prevent future incidents like b/32830469. Change-Id: I6c215b4058445a6d807610af94457598f26d591a
2016-11-29 16:10:13 -08:00
parent 08ad98cad9
commit 7fc037f1a9
2 changed files with 16 additions and 3 deletions
--- a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_key_mock.cpp
+++ b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_key_mock.cpp
@@ -17,7 +17,8 @@ bool KeyControlBlock::Validate() {
  if (memcmp(verification_, "kctl", 4) &&  // original verification
      memcmp(verification_, "kc09", 4) &&  // add in version 9 api
      memcmp(verification_, "kc10", 4) &&  // add in version 10 api
-      memcmp(verification_, "kc11", 4)) {  // add in version 11 api
+      memcmp(verification_, "kc11", 4) &&  // add in version 11 api
+      memcmp(verification_, "kc12", 4)) {  // add in version 12 api
    LOGE("KCB: BAD verification string: %4.4s", verification_);
    valid_ = false;
  } else {
--- a/libwvdrmengine/oemcrypto/test/oec_session_util.cpp
+++ b/libwvdrmengine/oemcrypto/test/oec_session_util.cpp
@@ -307,7 +307,12 @@ void Session::FillSimpleMessage(uint32_t duration, uint32_t control,
                                   sizeof(license_.keys[i].key_iv)));
    EXPECT_EQ(1, RAND_pseudo_bytes(license_.keys[i].control_iv,
                                   sizeof(license_.keys[i].control_iv)));
-    if (control & wvoec_mock::kControlSecurityPatchLevelMask) {
+    // For version 12, we require OEMCrypto to handle kc12 for all licenses.
+    if (global_features.api_version == 12) {
+      memcpy(license_.keys[i].control.verification, "kc12", 4);
+    } else if (control & wvoec_mock::kControlSecurityPatchLevelMask) {
+      // For versions before 12, we require the special key control block only
+      // when there are newer features present.
      memcpy(license_.keys[i].control.verification, "kc11", 4);
    } else if (control & wvoec_mock::kControlRequireAntiRollbackHardware) {
      memcpy(license_.keys[i].control.verification, "kc10", 4);
@@ -331,7 +336,14 @@ void Session::FillRefreshMessage(size_t key_count, uint32_t control_bits,
    encrypted_license().keys[i].key_id_length = license_.keys[i].key_id_length;
    memcpy(encrypted_license().keys[i].key_id, license_.keys[i].key_id,
           encrypted_license().keys[i].key_id_length);
-    memcpy(encrypted_license().keys[i].control.verification, "kctl", 4);
+    if (global_features.api_version == 12) {
+      // For version 12, we require OEMCrypto to handle kc12 for all licenses.
+      memcpy(encrypted_license().keys[i].control.verification, "kc12", 4);
+    } else {
+      // For versions before 12, we require the special key control block only
+      // when there are newer features present.
+      memcpy(encrypted_license().keys[i].control.verification, "kctl", 4);
+    }
    encrypted_license().keys[i].control.duration = htonl(kLongDuration);
    encrypted_license().keys[i].control.nonce = htonl(nonce);
    encrypted_license().keys[i].control.control_bits = htonl(control_bits);