widevine-partner/oemcrypto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Combine Decrypt Unit Tests.

Browse Source
This commit is contained in:
Fred Gylys-Colwell
2019-12-15 16:09:03 -08:00
parent ba75fe85da
commit f328c85fc3
12 changed files with 994 additions and 502 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
oemcrypto/include/oemcrypto_types.h
View File

@@ -71,6 +71,7 @@ static const size_t KEY_ID_SIZE = 16;
static const size_t KEY_IV_SIZE = 16;
static const size_t KEY_PAD_SIZE = 16;
static const size_t KEY_SIZE = 16;
static const size_t AES_128_BLOCK_SIZE = 16;
static const size_t MAC_KEY_SIZE = 32;
static const size_t KEYBOX_KEY_DATA_SIZE = 72;
static const size_t SRM_REQUIREMENT_SIZE = 12;

2
oemcrypto/ref/src/oemcrypto_engine_ref.cpp
View File

@@ -226,7 +226,7 @@ OEMCryptoResult CryptoEngine::SetDestination(
default:
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
size_t max_allowed = max_output_size();
size_t max_allowed = max_sample_size();
if (max_allowed > 0 &&
(max_allowed < max_length || max_allowed < data_length)) {
LOGE("Output too large (or buffer too small).");

14
oemcrypto/ref/src/oemcrypto_engine_ref.h
View File

@@ -154,14 +154,14 @@ class CryptoEngine {
// been applied to the device that fixes a security bug.
virtual uint8_t config_security_patch_level() { return 0; }
// If 0 no restriction, otherwise it's the max buffer for DecryptCENC.
// This is the same as the max subsample size, not the sample or frame size.
virtual size_t max_buffer_size() { return 1024 * 100; } // 100 KiB.
// If 0 no restriction, otherwise it's the max subsample size for
// DecryptCENC. This is not the same as the max sample or buffer size.
virtual size_t max_subsample_size() { return 1024 * 100; } // 100 KiB
// If 0 no restriction, otherwise it's the max output buffer for DecryptCENC
// and CopyBuffer. This is the same as the max frame or sample size, not the
// subsample size.
virtual size_t max_output_size() { return 0; }
// If 0 no restriction, otherwise it's the max sample size for DecryptCENC.
// This is the same as the max input and output buffer size for DecryptCENC
// and CopyBuffer. It is not the same as the max subsample size.
virtual size_t max_sample_size() { return 1024 * 1024; } // 1 MiB
virtual bool srm_update_supported() { return false; }

183
oemcrypto/ref/src/oemcrypto_ref.cpp
View File

@@ -6,6 +6,7 @@
//
#include "OEMCryptoCENC.h"
#include <assert.h>
#include <openssl/cmac.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
@@ -51,6 +52,41 @@ uint32_t unaligned_dereference_uint32(const void* unaligned_ptr) {
return value;
}
void advance_dest_buffer(OEMCrypto_DestBufferDesc* dest_buffer, size_t bytes) {
switch (dest_buffer->type) {
case OEMCrypto_BufferType_Clear:
dest_buffer->buffer.clear.address += bytes;
dest_buffer->buffer.clear.address_length -= bytes;
break;
case OEMCrypto_BufferType_Secure:
dest_buffer->buffer.secure.offset += bytes;
break;
case OEMCrypto_BufferType_Direct:
// Nothing to do for this buffer type.
break;
}
}
// Advance an IV according to ISO-CENC's CTR modes. The lower half of the IV is
// split off and treated as an unsigned 64-bit integer, then incremented by the
// number of complete crypto blocks decrypted. The resulting value is then
// copied back into the IV over the previous lower half.
void advance_iv_ctr(uint8_t (*subsample_iv)[wvoec::KEY_IV_SIZE], size_t bytes) {
uint64_t counter;
assert(sizeof(*subsample_iv) == wvoec::KEY_IV_SIZE);
assert(sizeof(counter) * 2 == sizeof(*subsample_iv));
static const size_t half_iv_size = wvoec::KEY_IV_SIZE / 2;
memcpy(&counter, &(*subsample_iv)[half_iv_size], half_iv_size);
size_t increment =
bytes / wvoec::AES_128_BLOCK_SIZE; // The truncation here is intentional
counter = wvcdm::htonll64(wvcdm::ntohll64(counter) + increment);
memcpy(&(*subsample_iv)[half_iv_size], &counter, half_iv_size);
}
} // namespace
namespace wvoec_ref {
@@ -579,40 +615,21 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_SelectKey(
return session_ctx->SelectContentKey(key_id_str, cipher_mode);
}
OEMCRYPTO_API OEMCryptoResult OEMCrypto_DecryptCENC_V15(
OEMCrypto_SESSION session, const uint8_t* data_addr, size_t data_length,
bool is_encrypted, const uint8_t* iv, size_t block_offset,
OEMCrypto_DestBufferDesc* out_buffer_descriptor,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
uint8_t subsample_flags) {
OEMCRYPTO_API OEMCryptoResult OEMCrypto_DecryptCENC(
OEMCrypto_SESSION session, const OEMCrypto_SampleDescription* samples,
size_t samples_length, const OEMCrypto_CENCEncryptPatternDesc* pattern) {
if (crypto_engine == nullptr) {
LOGE("OEMCrypto_DecryptCENC: OEMCrypto Not Initialized.");
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
if (data_addr == nullptr || data_length == 0 || iv == nullptr ||
out_buffer_descriptor == nullptr) {
LOGE("[OEMCrypto_DecryptCENC(): OEMCrypto_ERROR_INVALID_CONTEXT]");
if (samples == nullptr || samples_length == 0) {
LOGE("[OEMCrypto_DecryptCENC(): No samples]");
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
if (crypto_engine->max_buffer_size() > 0 &&
data_length > crypto_engine->max_buffer_size()) {
// For testing reasons only, pretend that this integration only supports
// the minimum possible buffer size.
LOGE("[OEMCrypto_DecryptCENC(): OEMCrypto_ERROR_BUFFER_TOO_LARGE]");
return OEMCrypto_ERROR_BUFFER_TOO_LARGE;
if (pattern == nullptr) {
LOGE("[OEMCrypto_DecryptCENC(): No pattern]");
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
OEMCryptoResult status = crypto_engine->SetDestination(
*out_buffer_descriptor, data_length, subsample_flags);
if (status != OEMCrypto_SUCCESS) {
LOGE("[OEMCrypto_DecryptCENC(): destination status: %d]", status);
return status;
}
#ifndef NDEBUG
if (!crypto_engine->ValidRootOfTrust()) {
LOGE("[OEMCrypto_DecryptCENC(): ERROR_KEYBOX_INVALID]");
return OEMCrypto_ERROR_KEYBOX_INVALID;
}
#endif
SessionContext* session_ctx = crypto_engine->FindSession(session);
if (session_ctx == nullptr || !session_ctx->isValid()) {
@@ -620,13 +637,107 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_DecryptCENC_V15(
return OEMCrypto_ERROR_INVALID_SESSION;
}
OEMCryptoResult result = session_ctx->DecryptCENC_V15(
iv, block_offset, pattern, data_addr, data_length, is_encrypted,
crypto_engine->destination(), out_buffer_descriptor->type,
subsample_flags);
if (result != OEMCrypto_SUCCESS) return result;
return crypto_engine->PushDestination(*out_buffer_descriptor,
subsample_flags);
// Iterate through all the samples and validate them before doing any decrypt
for (size_t sample_index = 0; sample_index < samples_length; ++sample_index) {
const OEMCrypto_SampleDescription& sample = samples[sample_index];
if (sample.buffers.input_data == nullptr ||
sample.buffers.input_data_length == 0) {
LOGE("[OEMCrypto_DecryptCENC(): OEMCrypto_ERROR_INVALID_CONTEXT]");
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
if (crypto_engine->max_sample_size() > 0 &&
sample.buffers.input_data_length > crypto_engine->max_sample_size()) {
// For testing reasons only, pretend that this integration only supports
// the given buffer size.
LOGE("[OEMCrypto_DecryptCENC(): Sample too large]");
return OEMCrypto_ERROR_BUFFER_TOO_LARGE;
}
// Iterate through all the subsamples and sum their lengths
size_t subsample_length_tally = 0;
for (size_t subsample_index = 0; subsample_index < sample.subsamples_length;
++subsample_index) {
const OEMCrypto_SubSampleDescription& subsample =
sample.subsamples[subsample_index];
const size_t length =
subsample.num_bytes_clear + subsample.num_bytes_encrypted;
if (crypto_engine->max_subsample_size() > 0 &&
length > crypto_engine->max_subsample_size()) {
// For testing reasons only, pretend that this integration only supports
// the given buffer size.
LOGE("[OEMCrypto_DecryptCENC(): Subsample too large]");
return OEMCrypto_ERROR_BUFFER_TOO_LARGE;
}
subsample_length_tally += length;
}
if (subsample_length_tally != sample.buffers.input_data_length) {
LOGE(
"[OEMCrypto_DecryptCENC(): Sample and subsample lengths do not "
"match.]");
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
}
// Iterate through all the samples and decrypt each one
for (size_t sample_index = 0; sample_index < samples_length; ++sample_index) {
const OEMCrypto_SampleDescription& sample = samples[sample_index];
// Iterate through all the subsamples and decrypt each one
const uint8_t* subsample_source = sample.buffers.input_data;
OEMCrypto_DestBufferDesc subsample_dest = sample.buffers.output_descriptor;
uint8_t subsample_iv[wvoec::KEY_IV_SIZE];
assert(sizeof(sample.iv) == wvoec::KEY_IV_SIZE);
assert(sizeof(subsample_iv) == wvoec::KEY_IV_SIZE);
memcpy(&subsample_iv[0], &sample.iv[0], wvoec::KEY_IV_SIZE);
for (size_t subsample_index = 0; subsample_index < sample.subsamples_length;
++subsample_index) {
const OEMCrypto_SubSampleDescription& subsample =
sample.subsamples[subsample_index];
const size_t subsample_length =
subsample.num_bytes_clear + subsample.num_bytes_encrypted;
OEMCryptoResult result = crypto_engine->SetDestination(
subsample_dest, subsample_length, subsample.subsample_flags);
if (result != OEMCrypto_SUCCESS) {
LOGE("[OEMCrypto_DecryptCENC(): SetDestination status: %d]", result);
return result;
}
#ifndef NDEBUG
if (!crypto_engine->ValidRootOfTrust()) {
LOGE("[OEMCrypto_DecryptCENC(): ERROR_KEYBOX_INVALID]");
return OEMCrypto_ERROR_KEYBOX_INVALID;
}
#endif
result = session_ctx->DecryptSubsample(
subsample, subsample_source, crypto_engine->destination(),
subsample_dest.type, subsample_iv, pattern);
if (result != OEMCrypto_SUCCESS) {
LOGE("[OEMCrypto_DecryptCENC(): DecryptSubsample status: %d]", result);
return result;
}
result = crypto_engine->PushDestination(subsample_dest,
subsample.subsample_flags);
if (result != OEMCrypto_SUCCESS) {
LOGE("[OEMCrypto_DecryptCENC(): PushDestination status: %d]", result);
return result;
}
// Advance the source buffer, the dest buffer, and (if necessary) the IV
subsample_source += subsample_length;
advance_dest_buffer(&subsample_dest, subsample_length);
if (subsample.num_bytes_encrypted > 0 &&
session_ctx->current_content_key()->ctr_mode()) {
advance_iv_ctr(&subsample_iv,
subsample.block_offset + subsample.num_bytes_encrypted);
}
} // Subsample loop
} // Sample loop
return OEMCrypto_SUCCESS;
}
OEMCRYPTO_API OEMCryptoResult OEMCrypto_CopyBuffer(
@@ -641,8 +752,8 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_CopyBuffer(
LOGE("[OEMCrypto_CopyBuffer(): OEMCrypto_ERROR_INVALID_CONTEXT]");
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
if (crypto_engine->max_buffer_size() > 0 &&
data_length > crypto_engine->max_buffer_size()) {
if (crypto_engine->max_sample_size() > 0 &&
data_length > crypto_engine->max_sample_size()) {
// For testing reasons only, pretend that this integration only supports
// the minimum possible buffer size.
LOGE("[OEMCrypto_CopyBuffer(): OEMCrypto_ERROR_BUFFER_TOO_LARGE]");

130
oemcrypto/ref/src/oemcrypto_session.cpp
View File

@@ -1484,15 +1484,29 @@ bool SessionContext::DecryptMessage(const std::vector<uint8_t>& key,
return true;
}
OEMCryptoResult SessionContext::DecryptCENC_V15(
const uint8_t* iv, size_t block_offset,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
const uint8_t* cipher_data, size_t cipher_data_length, bool is_encrypted,
OEMCryptoResult SessionContext::DecryptSubsample(
const OEMCrypto_SubSampleDescription& subsample, const uint8_t* cipher_data,
uint8_t* clear_data, OEMCryptoBufferType buffer_type,
uint8_t subsample_flags) {
OEMCryptoResult result =
ChooseDecrypt(iv, block_offset, pattern, cipher_data, cipher_data_length,
is_encrypted, clear_data, buffer_type);
const uint8_t iv[wvoec::KEY_IV_SIZE],
const OEMCrypto_CENCEncryptPatternDesc* pattern) {
// Handle the clear portion of the subsample.
if (subsample.num_bytes_clear > 0) {
if (buffer_type != OEMCrypto_BufferType_Direct) {
memmove(clear_data, cipher_data, subsample.num_bytes_clear);
}
// For the reference implementation, we quietly drop the clear direct video.
}
// Handle the encrypted portion of the subsample.
OEMCryptoResult result = OEMCrypto_SUCCESS;
if (subsample.num_bytes_encrypted > 0) {
const uint8_t* source = cipher_data + subsample.num_bytes_clear;
uint8_t* dest = clear_data + subsample.num_bytes_clear;
result = ChooseDecrypt(iv, subsample.block_offset, pattern, source,
subsample.num_bytes_encrypted, dest, buffer_type);
}
// Compute hash for FDPT.
if (compute_hash_) {
if (current_content_key() == nullptr ||
(current_content_key()->control().control_bits() &
@@ -1503,12 +1517,13 @@ OEMCryptoResult SessionContext::DecryptCENC_V15(
current_hash_ = 0;
current_frame_number_ = 0;
} else {
if (OEMCrypto_FirstSubsample & subsample_flags) {
if (OEMCrypto_FirstSubsample & subsample.subsample_flags) {
current_hash_ = wvcrc32Init();
}
current_hash_ =
wvcrc32Cont(clear_data, cipher_data_length, current_hash_);
if (OEMCrypto_LastSubsample & subsample_flags) {
current_hash_ = wvcrc32Cont(
clear_data, subsample.num_bytes_clear + subsample.num_bytes_encrypted,
current_hash_);
if (OEMCrypto_LastSubsample & subsample.subsample_flags) {
if (current_hash_ != given_hash_) {
LOGE("CRC for frame %d is %08x, should be %08x\n",
current_frame_number_, current_hash_, given_hash_);
@@ -1522,25 +1537,17 @@ OEMCryptoResult SessionContext::DecryptCENC_V15(
}
}
}
// Return the result of the previous ChooseDecrypt() call after computing the
// hash.
return result;
}
OEMCryptoResult SessionContext::ChooseDecrypt(
const uint8_t* iv, size_t block_offset,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
const uint8_t* cipher_data, size_t cipher_data_length, bool is_encrypted,
uint8_t* clear_data, OEMCryptoBufferType buffer_type) {
// If the data is clear, we do not need a current key selected.
if (!is_encrypted) {
if (buffer_type != OEMCrypto_BufferType_Direct) {
memmove(reinterpret_cast<uint8_t*>(clear_data), cipher_data,
cipher_data_length);
return OEMCrypto_SUCCESS;
}
// For reference implementation, we quietly drop the clear direct video.
return OEMCrypto_SUCCESS;
}
const OEMCrypto_CENCEncryptPatternDesc* pattern, const uint8_t* cipher_data,
size_t cipher_data_length, uint8_t* clear_data,
OEMCryptoBufferType buffer_type) {
// Check there is a content key
if (current_content_key() == nullptr) {
LOGE("[DecryptCTR(): OEMCrypto_ERROR_NO_CONTENT_KEY]");
@@ -1565,41 +1572,42 @@ OEMCryptoResult SessionContext::ChooseDecrypt(
}
if (!current_content_key()->ctr_mode()) {
if (block_offset > 0) return OEMCrypto_ERROR_INVALID_CONTEXT;
return DecryptCBC(key_u8, iv, pattern, cipher_data, cipher_data_length,
clear_data);
if (block_offset > 0 || pattern->encrypt == 0) {
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
if (pattern->skip > 0) {
return PatternDecryptCTR(key_u8, iv, block_offset, pattern, cipher_data,
return PatternDecryptCBC(key_u8, iv, pattern, cipher_data,
cipher_data_length, clear_data);
} else {
if (pattern->skip != 0 || pattern->encrypt != 0) {
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
return DecryptCTR(key_u8, iv, block_offset, cipher_data, cipher_data_length,
clear_data);
}
}
OEMCryptoResult SessionContext::DecryptCBC(
OEMCryptoResult SessionContext::PatternDecryptCBC(
const uint8_t* key, const uint8_t* initial_iv,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
const uint8_t* cipher_data, size_t cipher_data_length,
uint8_t* clear_data) {
const OEMCrypto_CENCEncryptPatternDesc* pattern, const uint8_t* cipher_data,
size_t cipher_data_length, uint8_t* clear_data) {
AES_KEY aes_key;
AES_set_decrypt_key(&key[0], AES_BLOCK_SIZE * 8, &aes_key);
uint8_t iv[AES_BLOCK_SIZE];
uint8_t next_iv[AES_BLOCK_SIZE];
memcpy(iv, &initial_iv[0], AES_BLOCK_SIZE);
const size_t pattern_length = pattern->encrypt + pattern->skip;
if (pattern_length <= 0) return OEMCrypto_ERROR_INVALID_CONTEXT;
size_t l = 0;
// TODO(b/135285640): remove this.
size_t pattern_offset = 0;
while (l < cipher_data_length) {
size_t size =
std::min(cipher_data_length - l, static_cast<size_t>(AES_BLOCK_SIZE));
size_t pattern_length = pattern->encrypt + pattern->skip;
bool skip_block =
(pattern_offset >= pattern->encrypt) && (pattern_length > 0);
if (pattern_length > 0) {
bool skip_block = (pattern_offset >= pattern->encrypt);
pattern_offset = (pattern_offset + 1) % pattern_length;
}
// TODO(b/140503351): The (size < AES_BLOCK_SIZE) check is not correct for
// patterns where (pattern.encrypt > 1).
if (skip_block || (size < AES_BLOCK_SIZE)) {
memmove(&clear_data[l], &cipher_data[l], size);
} else {
@@ -1618,46 +1626,6 @@ OEMCryptoResult SessionContext::DecryptCBC(
return OEMCrypto_SUCCESS;
}
OEMCryptoResult SessionContext::PatternDecryptCTR(
const uint8_t* key, const uint8_t* initial_iv, size_t block_offset,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
const uint8_t* cipher_data, size_t cipher_data_length,
uint8_t* clear_data) {
AES_KEY aes_key;
AES_set_encrypt_key(&key[0], AES_BLOCK_SIZE * 8, &aes_key);
uint8_t iv[AES_BLOCK_SIZE];
memcpy(iv, &initial_iv[0], AES_BLOCK_SIZE);
size_t l = 0;
// TODO(b/135285640): remove this.
size_t pattern_offset = 0;
while (l < cipher_data_length) {
size_t size =
std::min(cipher_data_length - l, AES_BLOCK_SIZE - block_offset);
size_t pattern_length = pattern->encrypt + pattern->skip;
bool skip_block =
(pattern_offset >= pattern->encrypt) && (pattern_length > 0);
if (pattern_length > 0) {
pattern_offset = (pattern_offset + 1) % pattern_length;
}
if (skip_block) {
memmove(&clear_data[l], &cipher_data[l], size);
} else {
uint8_t aes_output[AES_BLOCK_SIZE];
AES_encrypt(iv, aes_output, &aes_key);
for (size_t n = 0; n < size; n++) {
clear_data[l + n] = aes_output[n + block_offset] ^ cipher_data[l + n];
}
ctr128_inc64(iv);
}
l += size;
block_offset = 0;
}
return OEMCrypto_SUCCESS;
}
// This is a special case of PatternDecryptCTR with no skip pattern. It uses
// more optimized versions of openssl's implementation of AES CTR mode.
OEMCryptoResult SessionContext::DecryptCTR(const uint8_t* key_u8,
const uint8_t* iv,
size_t block_offset,

30
oemcrypto/ref/src/oemcrypto_session.h
View File

@@ -96,12 +96,11 @@ class SessionContext {
virtual bool ValidateMessage(const uint8_t* message, size_t message_length,
const uint8_t* signature,
size_t signature_length);
OEMCryptoResult DecryptCENC_V15(
const uint8_t* iv, size_t block_offset,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
const uint8_t* cipher_data, size_t cipher_data_length, bool is_encrypted,
uint8_t* clear_data, OEMCryptoBufferType buffer_type,
uint8_t subsample_flags);
OEMCryptoResult DecryptSubsample(
const OEMCrypto_SubSampleDescription& subsample,
const uint8_t* cipher_data, uint8_t* clear_data,
OEMCryptoBufferType buffer_type, const uint8_t iv[wvoec::KEY_IV_SIZE],
const OEMCrypto_CENCEncryptPatternDesc* pattern);
OEMCryptoResult Generic_Encrypt(const uint8_t* in_buffer,
size_t buffer_length, const uint8_t* iv,
@@ -237,19 +236,14 @@ class SessionContext {
OEMCryptoResult CheckStatusOnline(uint32_t nonce, uint32_t control);
// Check that the usage entry status is valid for offline use.
OEMCryptoResult CheckStatusOffline(uint32_t nonce, uint32_t control);
OEMCryptoResult ChooseDecrypt(
const uint8_t* iv, size_t block_offset,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
const uint8_t* cipher_data, size_t cipher_data_length, bool is_encrypted,
uint8_t* clear_data, OEMCryptoBufferType buffer_type);
OEMCryptoResult DecryptCBC(
OEMCryptoResult ChooseDecrypt(const uint8_t* iv, size_t block_offset,
const OEMCrypto_CENCEncryptPatternDesc* pattern,
const uint8_t* cipher_data,
size_t cipher_data_length, uint8_t* clear_data,
OEMCryptoBufferType buffer_type);
OEMCryptoResult PatternDecryptCBC(
const uint8_t* key, const uint8_t* iv,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
const uint8_t* cipher_data, size_t cipher_data_length,
uint8_t* clear_data);
OEMCryptoResult PatternDecryptCTR(
const uint8_t* key, const uint8_t* iv, size_t block_offset,
const OEMCrypto_CENCEncryptPatternDesc_V15* pattern,
const OEMCrypto_CENCEncryptPatternDesc* pattern,
const uint8_t* cipher_data, size_t cipher_data_length,
uint8_t* clear_data);
OEMCryptoResult DecryptCTR(const uint8_t* key_u8, const uint8_t* iv,

177
oemcrypto/test/oec_decrypt_fallback_chain.cpp Normal file
View File

@@ -0,0 +1,177 @@
// Copyright 2019 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine Master
// License Agreement.
#include "oec_decrypt_fallback_chain.h"
#include <stdint.h>
#include <string.h>
#include "oemcrypto_types.h"
#include "string_conversions.h"
namespace {
void advance_dest_buffer(OEMCrypto_DestBufferDesc* dest_buffer, size_t bytes) {
switch (dest_buffer->type) {
case OEMCrypto_BufferType_Clear:
dest_buffer->buffer.clear.address += bytes;
dest_buffer->buffer.clear.address_length -= bytes;
break;
case OEMCrypto_BufferType_Secure:
dest_buffer->buffer.secure.offset += bytes;
break;
case OEMCrypto_BufferType_Direct:
// Nothing to do for this buffer type.
break;
}
}
void advance_iv_ctr(uint8_t (*subsample_iv)[wvoec::KEY_IV_SIZE], size_t bytes) {
uint64_t counter;
constexpr size_t half_iv_size = wvoec::KEY_IV_SIZE / 2;
memcpy(&counter, &(*subsample_iv)[half_iv_size], half_iv_size);
size_t increment =
bytes / wvoec::AES_128_BLOCK_SIZE; // The truncation here is intentional
counter = wvcdm::htonll64(wvcdm::ntohll64(counter) + increment);
memcpy(&(*subsample_iv)[half_iv_size], &counter, half_iv_size);
}
} // namespace
namespace wvoec {
// Decrypts the given array of samples. Handles fallback behavior correctly if
// the OEMCrypto implementation does not accept multiple samples.
OEMCryptoResult DecryptFallbackChain::Decrypt(
OEMCrypto_SESSION session_id, const OEMCrypto_SampleDescription* samples,
size_t samples_length, OEMCryptoCipherMode cipher_mode,
const OEMCrypto_CENCEncryptPatternDesc* pattern) {
OEMCryptoResult sts =
OEMCrypto_DecryptCENC(session_id, samples, samples_length, pattern);
// No need for a fallback. Abort early.
if (sts != OEMCrypto_ERROR_BUFFER_TOO_LARGE) return sts;
// Fall back to decrypting individual samples.
for (size_t i = 0; i < samples_length; ++i) {
sts = DecryptSample(session_id, samples[i], cipher_mode, pattern);
if (sts != OEMCrypto_SUCCESS) return sts;
}
return sts;
}
// Decrypts the given sample. Handles fallback behavior correctly if the
// OEMCrypto implementation does not accept full samples.
OEMCryptoResult DecryptFallbackChain::DecryptSample(
OEMCrypto_SESSION session_id, const OEMCrypto_SampleDescription& sample,
OEMCryptoCipherMode cipher_mode,
const OEMCrypto_CENCEncryptPatternDesc* pattern) {
OEMCryptoResult sts = OEMCrypto_DecryptCENC(session_id, &sample, 1, pattern);
// No need for a fallback. Abort early.
if (sts != OEMCrypto_ERROR_BUFFER_TOO_LARGE) return sts;
// Fall back to decrypting individual subsamples.
OEMCrypto_SampleDescription fake_sample = sample;
for (size_t i = 0; i < sample.subsamples_length; ++i) {
const OEMCrypto_SubSampleDescription& subsample = sample.subsamples[i];
size_t length = subsample.num_bytes_clear + subsample.num_bytes_encrypted;
fake_sample.buffers.input_data_length = length;
fake_sample.subsamples = &subsample;
fake_sample.subsamples_length = 1;
sts = DecryptSubsample(session_id, fake_sample, pattern);
if (sts != OEMCrypto_SUCCESS) return sts;
fake_sample.buffers.input_data += length;
advance_dest_buffer(&fake_sample.buffers.output_descriptor, length);
if (cipher_mode == OEMCrypto_CipherMode_CTR) {
advance_iv_ctr(&fake_sample.iv,
subsample.block_offset + subsample.num_bytes_encrypted);
}
}
return sts;
}
// Decrypts the given subsample. Handles fallback behavior correctly if the
// OEMCrypto implementation does not accept full subsamples.
OEMCryptoResult DecryptFallbackChain::DecryptSubsample(
OEMCrypto_SESSION session_id, const OEMCrypto_SampleDescription& sample,
const OEMCrypto_CENCEncryptPatternDesc* pattern) {
OEMCryptoResult sts = OEMCrypto_DecryptCENC(session_id, &sample, 1, pattern);
// No need for a fallback. Abort early.
if (sts != OEMCrypto_ERROR_BUFFER_TOO_LARGE) return sts;
// Fall back to decrypting individual subsample halves.
const OEMCrypto_SubSampleDescription& subsample = sample.subsamples[0];
OEMCrypto_SampleDescription fake_sample = sample;
OEMCrypto_SubSampleDescription fake_subsample;
fake_sample.subsamples = &fake_subsample;
fake_sample.subsamples_length = 1;
if (subsample.num_bytes_clear > 0) {
fake_sample.buffers.input_data_length = subsample.num_bytes_clear;
fake_subsample.num_bytes_clear = subsample.num_bytes_clear;
fake_subsample.num_bytes_encrypted = 0;
fake_subsample.block_offset = 0;
fake_subsample.subsample_flags = 0;
if (subsample.subsample_flags & OEMCrypto_FirstSubsample)
fake_subsample.subsample_flags |= OEMCrypto_FirstSubsample;
if (subsample.subsample_flags & OEMCrypto_LastSubsample &&
subsample.num_bytes_encrypted == 0)
fake_subsample.subsample_flags |= OEMCrypto_LastSubsample;
sts = DecryptSubsampleHalf(session_id, fake_sample, pattern);
if (sts != OEMCrypto_SUCCESS) return sts;
// Advance the buffers for the other half, in case they're needed.
fake_sample.buffers.input_data += subsample.num_bytes_clear;
advance_dest_buffer(&fake_sample.buffers.output_descriptor,
subsample.num_bytes_clear);
}
if (subsample.num_bytes_encrypted > 0) {
fake_sample.buffers.input_data_length = subsample.num_bytes_encrypted;
fake_subsample.num_bytes_clear = 0;
fake_subsample.num_bytes_encrypted = subsample.num_bytes_encrypted;
fake_subsample.block_offset = subsample.block_offset;
fake_subsample.subsample_flags = 0;
if (subsample.subsample_flags & OEMCrypto_FirstSubsample &&
subsample.num_bytes_clear == 0)
fake_subsample.subsample_flags |= OEMCrypto_FirstSubsample;
if (subsample.subsample_flags & OEMCrypto_LastSubsample)
fake_subsample.subsample_flags |= OEMCrypto_LastSubsample;
sts = DecryptSubsampleHalf(session_id, fake_sample, pattern);
if (sts != OEMCrypto_SUCCESS) return sts;
}
return sts;
}
// Decrypts the given subsample half. There is no fallback behavior after this;
// an OEMCrypto_ERROR_BUFFER_TOO_LARGE produced here will be returned to the
// caller.
OEMCryptoResult DecryptFallbackChain::DecryptSubsampleHalf(
OEMCrypto_SESSION session_id, const OEMCrypto_SampleDescription& sample,
const OEMCrypto_CENCEncryptPatternDesc* pattern) {
return OEMCrypto_DecryptCENC(session_id, &sample, 1, pattern);
// In a real CDM, you would want some fallback here to handle the case where
// the buffer is too big for the OEMCrypto implementation. But in the case of
// the tests, we won't be passing a buffer that's too big unless we are trying
// to test that failure condition, so there's no need to handle that case
// here.
}
} // namespace wvoec

59
oemcrypto/test/oec_decrypt_fallback_chain.h Normal file
View File

@@ -0,0 +1,59 @@
// Copyright 2019 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine Master
// License Agreement.
#ifndef CDM_OEC_DECRYPT_FALLBACK_CHAIN_H_
#define CDM_OEC_DECRYPT_FALLBACK_CHAIN_H_
#include "OEMCryptoCENC.h"
#include "disallow_copy_and_assign.h"
namespace wvoec {
// This class groups static methods relating to providing proper fallback
// behavior when calling DecryptCENC in OEMCrypto v16. Outside code can leverage
// this behavior by passing the samples to be decrypted to Decrypt(), which will
// set off the chain of fallback functions as needed.
//
// The behavior of this class is pathological. For each block of data, it will
// greedily try every possible way of passing data to OEMCrypto until one works.
// In the order tried, the ways to send data are:
// 1) Multiple Samples at once
// 2) Individual Samples one at a time
// 3) Individual Subsamples one at a time
// 4) Individual Half-Subsamples one at a time
// On a device that only accepts half-subsamples, the way OEMCrypto v15 did,
// this results in many needless roundtrips to OEMCrypto. This would be
// inefficient behavior for a real CDM, but for the sake of testing, we want to
// use the maximal way the OEMCrypto implementation will accept the data. And,
// for implementations that do not accept multiple samples or subsamples per
// call, we want to test that they correctly reject larger calls.
class DecryptFallbackChain {
public:
static OEMCryptoResult Decrypt(
OEMCrypto_SESSION session_id, const OEMCrypto_SampleDescription* samples,
size_t samples_length, OEMCryptoCipherMode cipher_mode,
const OEMCrypto_CENCEncryptPatternDesc* pattern);
private:
static OEMCryptoResult DecryptSample(
OEMCrypto_SESSION session_id, const OEMCrypto_SampleDescription& sample,
OEMCryptoCipherMode cipher_mode,
const OEMCrypto_CENCEncryptPatternDesc* pattern);
static OEMCryptoResult DecryptSubsample(
OEMCrypto_SESSION session_id, const OEMCrypto_SampleDescription& sample,
const OEMCrypto_CENCEncryptPatternDesc* pattern);
static OEMCryptoResult DecryptSubsampleHalf(
OEMCrypto_SESSION session_id, const OEMCrypto_SampleDescription& sample,
const OEMCrypto_CENCEncryptPatternDesc* pattern);
// There is no reason to have an instance of this class.
DecryptFallbackChain() = delete;
CORE_DISALLOW_COPY_AND_ASSIGN(DecryptFallbackChain);
};
} // namespace wvoec
#endif // CDM_OEC_DECRYPT_FALLBACK_CHAIN_H_

87
oemcrypto/test/oec_session_util.cpp
View File

@@ -51,6 +51,8 @@ void DeleteX509Stack(STACK_OF(X509)* stack) {
sk_X509_pop_free(stack, X509_free);
}
constexpr size_t kTestSubsampleSectionSize = 256;
} // namespace
namespace wvoec {
@@ -60,6 +62,39 @@ int GetRandBytes(unsigned char* buf, int num) {
return RAND_bytes(buf, num);
}
// Does the boilerplate to fill out sample and subsample descriptions for
// decrypting a single contiguous block of encrypted data to clear memory, which
// is a common operation for tests. Generates a random IV which can be used to
// encrypt the input buffer.
void GenerateSimpleSampleDescription(
const uint8_t* input_data, size_t input_data_length, uint8_t* output_buffer,
size_t output_buffer_length, OEMCrypto_SampleDescription* sample,
OEMCrypto_SubSampleDescription* subsample) {
ASSERT_NE(nullptr, sample);
ASSERT_NE(nullptr, subsample);
// Generate test data
EXPECT_EQ(1, GetRandBytes(&sample->iv[0], KEY_IV_SIZE));
// Describe the test data
sample->buffers.input_data = input_data;
sample->buffers.input_data_length = input_data_length;
subsample->num_bytes_clear = 0;
subsample->num_bytes_encrypted = input_data_length;
subsample->subsample_flags =
OEMCrypto_FirstSubsample | OEMCrypto_LastSubsample;
subsample->block_offset = 0;
sample->subsamples = subsample;
sample->subsamples_length = 1;
// Describe the output
OEMCrypto_DestBufferDesc& out_buffer_descriptor =
sample->buffers.output_descriptor;
out_buffer_descriptor.type = OEMCrypto_BufferType_Clear;
out_buffer_descriptor.buffer.clear.address = output_buffer;
out_buffer_descriptor.buffer.clear.address_length = output_buffer_length;
}
// Increment counter for AES-CTR. The CENC spec specifies we increment only
// the low 64 bits of the IV counter, and leave the high 64 bits alone. This
// is different from the BoringSSL implementation, so we implement the CTR loop
@@ -1445,43 +1480,35 @@ void Session::TestDecryptCTR(bool select_key_first,
}
}
vector<uint8_t> unencryptedData(256);
for (size_t i = 0; i < unencryptedData.size(); i++)
unencryptedData[i] = i % 256;
EXPECT_EQ(1, GetRandBytes(unencryptedData.data(), unencryptedData.size()));
vector<uint8_t> encryptionIv(KEY_IV_SIZE);
EXPECT_EQ(1, GetRandBytes(encryptionIv.data(), KEY_IV_SIZE));
vector<uint8_t> encryptedData(unencryptedData.size());
EncryptCTR(unencryptedData, license_.keys[key_index].key_data,
encryptionIv.data(), &encryptedData);
// Create test sample description
vector<uint8_t> unencrypted_data(kTestSubsampleSectionSize);
vector<uint8_t> encrypted_data(unencrypted_data.size());
vector<uint8_t> output_buffer(unencrypted_data.size());
OEMCrypto_SampleDescription sample_description;
OEMCrypto_SubSampleDescription subsample_description;
ASSERT_NO_FATAL_FAILURE(GenerateSimpleSampleDescription(
encrypted_data.data(), encrypted_data.size(), output_buffer.data(),
output_buffer.size(), &sample_description, &subsample_description));
// Generate test data
EXPECT_EQ(1, GetRandBytes(unencrypted_data.data(), unencrypted_data.size()));
EncryptCTR(unencrypted_data, license_.keys[key_index].key_data,
&sample_description.iv[0], &encrypted_data);
// Create the pattern description (always 0,0 for CTR)
OEMCrypto_CENCEncryptPatternDesc pattern = {0, 0};
// Describe the output
vector<uint8_t> outputBuffer(256);
OEMCrypto_DestBufferDesc out_buffer_descriptor;
out_buffer_descriptor.type = OEMCrypto_BufferType_Clear;
out_buffer_descriptor.buffer.clear.address = outputBuffer.data();
out_buffer_descriptor.buffer.clear.address_length = outputBuffer.size();
OEMCrypto_CENCEncryptPatternDesc pattern;
pattern.encrypt = 0;
pattern.skip = 0;
// Decrypt the data
#if 1 // TODO(b/135285640): Until the DecryptCENC is fixed, we
// just copy the truth data to the outputBuffer, and claim success.
sts = expected_result;
if (expected_result == OEMCrypto_SUCCESS) outputBuffer = unencryptedData;
#else
sts = OEMCrypto_DecryptCENC(
session_id(), encryptedData.data(), encryptedData.size(), true,
encryptionIv.data(), 0, &out_buffer_descriptor, &pattern,
OEMCrypto_FirstSubsample | OEMCrypto_LastSubsample);
#endif
sts = OEMCrypto_DecryptCENC(session_id(), &sample_description, 1, &pattern);
// We only have a few errors that we test are reported.
if (expected_result == OEMCrypto_SUCCESS) { // No error.
ASSERT_EQ(OEMCrypto_SUCCESS, sts);
ASSERT_EQ(unencryptedData, outputBuffer);
ASSERT_EQ(unencrypted_data, output_buffer);
} else {
ASSERT_NO_FATAL_FAILURE(TestDecryptResult(expected_result, sts));
ASSERT_NE(unencryptedData, outputBuffer);
ASSERT_NE(unencrypted_data, output_buffer);
}
}

7
oemcrypto/test/oec_session_util.h
View File

@@ -117,6 +117,13 @@ struct EntitledContentKeyData {
// returns 1 on success, -1 if not supported, or 0 if other failure.
int GetRandBytes(unsigned char* buf, int num);
void GenerateSimpleSampleDescription(const uint8_t* input_data,
size_t input_data_length,
uint8_t* output_buffer,
size_t output_buffer_length,
OEMCrypto_SampleDescription* sample,
OEMCrypto_SubSampleDescription* subsample);
// Increment counter for AES-CTR. The CENC spec specifies we increment only
// the low 64 bits of the IV counter, and leave the high 64 bits alone. This
// is different from the OpenSSL implementation, so we implement the CTR loop

683
oemcrypto/test/oemcrypto_test.cpp
View File

@@ -32,6 +32,7 @@
#include "OEMCryptoCENC.h"
#include "clock.h"
#include "log.h"
#include "oec_decrypt_fallback_chain.h"
#include "oec_device_features.h"
#include "oec_session_util.h"
#include "oec_test_data.h"
@@ -95,12 +96,15 @@ T GetResourceValue(T (&resource_values)[N]) {
if (global_features.resource_rating > N) return resource_values[N-1];
return resource_values[global_features.resource_rating-1];
}
const size_t kMaxSampleSize[] = { 1000*KiB, 2*MiB, 4*MiB};
// clang-format off
const size_t kMaxSampleSize[] = { 1*MiB, 2*MiB, 4*MiB};
const size_t kMaxNumberSubsamples[] = { 10, 16, 32};
const size_t kMaxSubsampleSize[] = { 100*KiB, 500*KiB, 1*MiB};
const size_t kMaxGenericBuffer[] = { 10*KiB, 100*KiB, 500*KiB};
const size_t kMaxConcurrentSession[] = { 10, 20, 20};
const size_t kMaxKeysPerSession [] = { 4, 20, 20};
const size_t kMaxKeysPerSession[] = { 4, 20, 20};
// clang-format on
// Note: Frame rate and simultaneous playback are specified by resource rating,
// but are tested at the system level, so there are no unit tests for frame
// rate.
@@ -1342,30 +1346,123 @@ TEST_P(OEMCryptoLicenseTest, SelectKeyNotThereAPI15) {
// Delayed error code. If select key was a success, then we should
// eventually see the error when we decrypt.
vector<uint8_t> in_buffer(256);
for (size_t i = 0; i < in_buffer.size(); i++) in_buffer[i] = i % 256;
vector<uint8_t> encryptionIv(AES_BLOCK_SIZE);
EXPECT_EQ(1, GetRandBytes(encryptionIv.data(), AES_BLOCK_SIZE));
// Describe the output
vector<uint8_t> out_buffer(in_buffer.size());
OEMCrypto_DestBufferDesc destBuffer;
destBuffer.type = OEMCrypto_BufferType_Clear;
destBuffer.buffer.clear.address = out_buffer.data();
destBuffer.buffer.clear.address_length = out_buffer.size();
OEMCrypto_CENCEncryptPatternDesc pattern;
pattern.encrypt = 0;
pattern.skip = 0;
// Decrypt the data
#if 0 // TODO(b/135285640): fix this.
const bool is_encrypted = true;
sts = OEMCrypto_DecryptCENC(
s.session_id(), in_buffer.data(), in_buffer.size(), is_encrypted,
encryptionIv.data(), 0, &destBuffer, &pattern,
OEMCrypto_FirstSubsample | OEMCrypto_LastSubsample);
#endif
OEMCrypto_SampleDescription sample_description;
OEMCrypto_SubSampleDescription subsample_description;
ASSERT_NO_FATAL_FAILURE(GenerateSimpleSampleDescription(
in_buffer.data(), in_buffer.size(), out_buffer.data(),
out_buffer.size(), &sample_description, &subsample_description));
// Generate test data
for (size_t i = 0; i < in_buffer.size(); i++) in_buffer[i] = i % 256;
// Create the pattern description (always 0,0 for CTR)
OEMCrypto_CENCEncryptPatternDesc pattern = {0, 0};
// Try to decrypt the data
sts = OEMCrypto_DecryptCENC(session_.session_id(), &sample_description, 1,
&pattern);
EXPECT_EQ(OEMCrypto_ERROR_NO_CONTENT_KEY, sts);
}
}
// 'cens' mode is no longer supported in v16
TEST_F(OEMCryptoSessionTests, RejectCensAPI16) {
Session s;
ASSERT_NO_FATAL_FAILURE(s.open());
ASSERT_NO_FATAL_FAILURE(InstallTestRSAKey(&s));
ASSERT_NO_FATAL_FAILURE(s.FillSimpleMessage(0, 0, 0));
ASSERT_NO_FATAL_FAILURE(s.EncryptAndSign());
ASSERT_NO_FATAL_FAILURE(s.LoadTestKeys());
OEMCryptoResult sts;
sts = OEMCrypto_SelectKey(s.session_id(), s.license().keys[0].key_id,
s.license().keys[0].key_id_length,
OEMCrypto_CipherMode_CTR);
ASSERT_EQ(OEMCrypto_SUCCESS, sts);
vector<uint8_t> in_buffer(256);
vector<uint8_t> out_buffer(in_buffer.size());
OEMCrypto_SampleDescription sample_description;
OEMCrypto_SubSampleDescription subsample_description;
ASSERT_NO_FATAL_FAILURE(GenerateSimpleSampleDescription(
in_buffer.data(), in_buffer.size(), out_buffer.data(), out_buffer.size(),
&sample_description, &subsample_description));
// Create a non-zero pattern to indicate this is 'cens'
OEMCrypto_CENCEncryptPatternDesc pattern = {1, 9};
// Try to decrypt the data
sts = OEMCrypto_DecryptCENC(s.session_id(), &sample_description, 1, &pattern);
EXPECT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, sts);
}
// 'cbc1' mode is no longer supported in v16
TEST_F(OEMCryptoSessionTests, RejectCbc1API16) {
Session s;
ASSERT_NO_FATAL_FAILURE(s.open());
ASSERT_NO_FATAL_FAILURE(InstallTestRSAKey(&s));
ASSERT_NO_FATAL_FAILURE(s.FillSimpleMessage(0, 0, 0));
ASSERT_NO_FATAL_FAILURE(s.EncryptAndSign());
ASSERT_NO_FATAL_FAILURE(s.LoadTestKeys());
OEMCryptoResult sts;
sts = OEMCrypto_SelectKey(s.session_id(), s.license().keys[0].key_id,
s.license().keys[0].key_id_length,
OEMCrypto_CipherMode_CBC);
ASSERT_EQ(OEMCrypto_SUCCESS, sts);
vector<uint8_t> in_buffer(256);
vector<uint8_t> out_buffer(in_buffer.size());
OEMCrypto_SampleDescription sample_description;
OEMCrypto_SubSampleDescription subsample_description;
ASSERT_NO_FATAL_FAILURE(GenerateSimpleSampleDescription(
in_buffer.data(), in_buffer.size(), out_buffer.data(), out_buffer.size(),
&sample_description, &subsample_description));
// Create a zero pattern to indicate this is 'cbc1'
OEMCrypto_CENCEncryptPatternDesc pattern = {0, 0};
// Try to decrypt the data
sts = OEMCrypto_DecryptCENC(s.session_id(), &sample_description, 1, &pattern);
EXPECT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, sts);
}
TEST_F(OEMCryptoSessionTests, RejectCbcWithBlockOffset) {
Session s;
ASSERT_NO_FATAL_FAILURE(s.open());
ASSERT_NO_FATAL_FAILURE(InstallTestRSAKey(&s));
ASSERT_NO_FATAL_FAILURE(s.FillSimpleMessage(0, 0, 0));
ASSERT_NO_FATAL_FAILURE(s.EncryptAndSign());
ASSERT_NO_FATAL_FAILURE(s.LoadTestKeys());
OEMCryptoResult sts;
sts = OEMCrypto_SelectKey(s.session_id(), s.license().keys[0].key_id,
s.license().keys[0].key_id_length,
OEMCrypto_CipherMode_CBC);
ASSERT_EQ(OEMCrypto_SUCCESS, sts);
vector<uint8_t> in_buffer(256);
vector<uint8_t> out_buffer(in_buffer.size());
OEMCrypto_SampleDescription sample_description;
OEMCrypto_SubSampleDescription subsample_description;
ASSERT_NO_FATAL_FAILURE(GenerateSimpleSampleDescription(
in_buffer.data(), in_buffer.size(), out_buffer.data(), out_buffer.size(),
&sample_description, &subsample_description));
subsample_description.block_offset = 5; // Any value 1-15 will do.
// Create a non-zero pattern to indicate this is 'cbcs'.
OEMCrypto_CENCEncryptPatternDesc pattern = {1, 9};
// Try to decrypt the data
sts = OEMCrypto_DecryptCENC(s.session_id(), &sample_description, 1, &pattern);
EXPECT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, sts);
}
// After loading keys, we should be able to query the key control block. If we
// attempt to query a key that has not been loaded, the error should be
// NO_CONTENT_KEY.
@@ -1766,16 +1863,23 @@ TEST_F(OEMCryptoSessionTests, SimultaneousDecrypt) {
}
}
struct SampleSize {
struct SubsampleSize {
size_t clear_size;
size_t encrypted_size;
SampleSize(size_t clear, size_t encrypted)
SubsampleSize(size_t clear, size_t encrypted)
: clear_size(clear), encrypted_size(encrypted) {}
};
struct SampleInitData {
uint8_t iv[AES_BLOCK_SIZE];
size_t block_offset;
// Struct for holding the data for one test sample in the decrypt tests.
struct TestSample {
// Encrypted data -- this is input to OEMCrypto, and output from EncryptData.
std::vector<uint8_t> encrypted_buffer;
std::vector<uint8_t> clear_buffer; // OEMCrypto store clear output here.
std::vector<uint8_t> truth_buffer; // Truth data for clear text.
OEMCrypto_SampleDescription description;
std::vector<OEMCrypto_SubSampleDescription> subsamples;
int secure_buffer_fid;
};
// A class of tests that test decryption for a variety of patterns and modes.
@@ -1798,11 +1902,9 @@ class OEMCryptoSessionTestsDecryptTests
output_buffer_type_ = ::testing::get<2>(GetParam()).type;
verify_crc_ = global_features.supports_crc;
// Pick a random key.
EXPECT_EQ(1, GetRandBytes(key_, AES_BLOCK_SIZE));
EXPECT_EQ(1, GetRandBytes(&key_[0], sizeof(key_)));
// Pick a random starting iv. Some tests override this before using it.
starting_iv_.resize(AES_BLOCK_SIZE);
EXPECT_EQ(1, GetRandBytes(starting_iv_.data(), starting_iv_.size()));
total_size_ = -1;
EXPECT_EQ(1, GetRandBytes(&initial_iv_[0], sizeof(initial_iv_)));
}
void TearDown() override {
@@ -1811,83 +1913,109 @@ class OEMCryptoSessionTestsDecryptTests
OEMCryptoSessionTests::TearDown();
}
void FindTotalSize() {
total_size_ = 0;
for (size_t i = 0; i < subsample_size_.size(); i++) {
total_size_ +=
subsample_size_[i].clear_size + subsample_size_[i].encrypted_size;
void SetSubsampleSizes(std::vector<SubsampleSize> subsample_sizes) {
// This is just sugar for having one sample with the given subsamples in it.
SetSampleSizes({subsample_sizes});
}
void SetSampleSizes(std::vector<std::vector<SubsampleSize>> sample_sizes) {
ASSERT_GT(sample_sizes.size(), 0u);
samples_.reserve(sample_sizes.size());
// Convert all the size arrays to TestSample structs
for (const std::vector<SubsampleSize>& subsample_sizes : sample_sizes) {
// This could be one line if we had C++17
samples_.emplace_back();
TestSample& sample = samples_.back();
ASSERT_GT(subsample_sizes.size(), 0u);
sample.subsamples.reserve(subsample_sizes.size());
// Convert all the sizes to subsample descriptions and tally the total
// size
size_t total_size = 0;
size_t current_block_offset = 0;
for (const SubsampleSize& size : subsample_sizes) {
sample.subsamples.push_back(OEMCrypto_SubSampleDescription{
size.clear_size, size.encrypted_size,
0, // Subsample Flags, to be filled in after the loop
current_block_offset});
// Update the rolling variables
total_size += size.clear_size + size.encrypted_size;
if (cipher_mode_ == OEMCrypto_CipherMode_CTR) {
current_block_offset =
(current_block_offset + size.encrypted_size) % AES_BLOCK_SIZE;
}
}
// Set up the input buffer and either a clear or secure output buffer.
// This should be called after FindTotalSize().
// Set the subsample flags now that all the subsamples are processed
sample.subsamples.front().subsample_flags |= OEMCrypto_FirstSubsample;
sample.subsamples.back().subsample_flags |= OEMCrypto_LastSubsample;
// Set related information on the sample description
sample.description.subsamples = sample.subsamples.data();
sample.description.subsamples_length = sample.subsamples.size();
sample.description.buffers.input_data_length = total_size;
}
}
// Set up the input buffer and either a clear or secure output buffer for each
// test sample. This should be called after SetSubsampleSizes().
void MakeBuffers() {
ASSERT_GT(total_size_, 0u);
encrypted_buffer_.resize(total_size_);
truth_buffer_.resize(total_size_);
for (size_t i = 0; i < total_size_; i++) truth_buffer_[i] = i % 256;
output_descriptor_.type = output_buffer_type_;
switch (output_descriptor_.type) {
for (TestSample& sample : samples_) {
const size_t total_size = sample.description.buffers.input_data_length;
ASSERT_GT(total_size, 0u);
sample.encrypted_buffer.resize(total_size);
sample.truth_buffer.resize(total_size);
for (size_t i = 0; i < total_size; i++) sample.truth_buffer[i] = i % 256;
OEMCrypto_DestBufferDesc& output_descriptor =
sample.description.buffers.output_descriptor;
output_descriptor.type = output_buffer_type_;
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear:
if (decrypt_inplace_) {
output_descriptor_.buffer.clear.address = encrypted_buffer_.data();
output_descriptor.buffer.clear.address =
sample.encrypted_buffer.data();
} else {
// Add some padding to verify there is no overrun.
clear_buffer_.resize(total_size_ + 16, 0xaa);
output_descriptor_.buffer.clear.address = clear_buffer_.data();
sample.clear_buffer.resize(total_size + 16, 0xaa);
output_descriptor.buffer.clear.address = sample.clear_buffer.data();
}
output_descriptor_.buffer.clear.address_length = total_size_;
output_descriptor.buffer.clear.address_length = total_size;
break;
case OEMCrypto_BufferType_Secure:
output_descriptor_.buffer.secure.handle_length = total_size_;
output_descriptor.buffer.secure.handle_length = total_size;
ASSERT_EQ(OEMCrypto_SUCCESS,
OEMCrypto_AllocateSecureBuffer(
session_.session_id(), total_size_, &output_descriptor_,
&secure_buffer_fid_));
ASSERT_NE(nullptr, output_descriptor_.buffer.secure.handle);
// It is OK if OEMCrypto changes the maximum size, but there must still
// be enough room for our data.
ASSERT_GE(output_descriptor_.buffer.secure.handle_length, total_size_);
output_descriptor_.buffer.secure.offset = 0;
session_.session_id(), total_size, &output_descriptor,
&sample.secure_buffer_fid));
ASSERT_NE(nullptr, output_descriptor.buffer.secure.handle);
// It is OK if OEMCrypto changes the maximum size, but there must
// still be enough room for our data.
ASSERT_GE(output_descriptor.buffer.secure.handle_length, total_size);
output_descriptor.buffer.secure.offset = 0;
break;
case OEMCrypto_BufferType_Direct:
output_descriptor_.buffer.direct.is_video = false;
break;
default:
ASSERT_TRUE(false) << "Invalid buffer type.";
}
}
void UpdateOutputOffset(size_t offset) {
switch (output_descriptor_.type) {
case OEMCrypto_BufferType_Clear:
if (decrypt_inplace_) {
output_descriptor_.buffer.clear.address =
encrypted_buffer_.data() + offset;
} else {
output_descriptor_.buffer.clear.address =
clear_buffer_.data() + offset;
}
output_descriptor_.buffer.clear.address_length = total_size_ - offset;
break;
case OEMCrypto_BufferType_Secure:
ASSERT_NE(nullptr, output_descriptor_.buffer.secure.handle);
ASSERT_GE(output_descriptor_.buffer.secure.handle_length, total_size_);
output_descriptor_.buffer.secure.offset = offset;
break;
case OEMCrypto_BufferType_Direct:
output_descriptor.buffer.direct.is_video = false;
break;
default:
ASSERT_TRUE(false) << "Invalid buffer type.";
}
} // switch (output_descriptor.type)
} // sample loop
}
void FreeBuffers() {
if (output_descriptor_.type == OEMCrypto_BufferType_Secure) {
ASSERT_EQ(
OEMCrypto_SUCCESS,
OEMCrypto_FreeSecureBuffer(session_.session_id(), &output_descriptor_,
secure_buffer_fid_));
for (TestSample& sample : samples_) {
OEMCrypto_DestBufferDesc& output_descriptor =
sample.description.buffers.output_descriptor;
if (output_descriptor.type == OEMCrypto_BufferType_Secure) {
ASSERT_EQ(OEMCrypto_SUCCESS,
OEMCrypto_FreeSecureBuffer(session_.session_id(),
&output_descriptor,
sample.secure_buffer_fid));
}
}
}
@@ -1895,27 +2023,29 @@ class OEMCryptoSessionTestsDecryptTests
AES_KEY aes_key;
AES_set_encrypt_key(key_, AES_BLOCK_SIZE * 8, &aes_key);
uint8_t iv[AES_BLOCK_SIZE]; // Current iv.
memcpy(iv, starting_iv_.data(), AES_BLOCK_SIZE);
for (TestSample& sample : samples_) {
uint8_t iv[KEY_IV_SIZE]; // Current IV
memcpy(&iv[0], &initial_iv_[0], KEY_IV_SIZE);
memcpy(&sample.description.iv[0], &initial_iv_[0], KEY_IV_SIZE);
size_t buffer_index = 0; // byte index into in and out.
size_t block_offset = 0; // byte index into current block.
for (size_t i = 0; i < subsample_size_.size(); i++) {
for (const OEMCrypto_SubSampleDescription& subsample :
sample.subsamples) {
// Copy clear content.
if (subsample_size_[i].clear_size > 0) {
memcpy(&encrypted_buffer_[buffer_index], &truth_buffer_[buffer_index],
subsample_size_[i].clear_size);
buffer_index += subsample_size_[i].clear_size;
if (subsample.num_bytes_clear > 0) {
memcpy(&sample.encrypted_buffer[buffer_index],
&sample.truth_buffer[buffer_index], subsample.num_bytes_clear);
buffer_index += subsample.num_bytes_clear;
}
// Save the current iv and offsets for call to DecryptCENC.
sample_init_data_.push_back(SampleInitData());
memcpy(sample_init_data_[i].iv, iv, AES_BLOCK_SIZE);
// Note: final CENC spec specifies the pattern_offset = 0 at the
// start of each subsample.
size_t pattern_offset = 0;
sample_init_data_[i].block_offset = block_offset;
size_t subsample_end = buffer_index + subsample_size_[i].encrypted_size;
// The IV resets at the start of each subsample in the 'cbcs' schema.
if (cipher_mode_ == OEMCrypto_CipherMode_CBC) {
memcpy(&iv[0], &initial_iv_[0], KEY_IV_SIZE);
}
size_t pattern_offset = 0;
size_t subsample_end = buffer_index + subsample.num_bytes_encrypted;
while (buffer_index < subsample_end) {
size_t size =
min(subsample_end - buffer_index, AES_BLOCK_SIZE - block_offset);
@@ -1928,44 +2058,52 @@ class OEMCryptoSessionTestsDecryptTests
// CBC mode should just copy a partial block at the end. If there
// is a partial block at the beginning, an error is returned, so we
// can put whatever we want in the output buffer.
//
// TODO(b/140503351): The (size < AES_BLOCK_SIZE) check is not correct
// for patterns where (pattern.encrypt > 1).
if (skip_block || ((cipher_mode_ == OEMCrypto_CipherMode_CBC) &&
(size < AES_BLOCK_SIZE))) {
memcpy(&encrypted_buffer_[buffer_index], &truth_buffer_[buffer_index],
size);
memcpy(&sample.encrypted_buffer[buffer_index],
&sample.truth_buffer[buffer_index], size);
block_offset = 0; // Next block should be complete.
} else {
if (cipher_mode_ == OEMCrypto_CipherMode_CTR) {
uint8_t aes_output[AES_BLOCK_SIZE];
AES_encrypt(iv, aes_output, &aes_key);
for (size_t n = 0; n < size; n++) {
encrypted_buffer_[buffer_index + n] =
sample.encrypted_buffer[buffer_index + n] =
aes_output[n + block_offset] ^
truth_buffer_[buffer_index + n];
sample.truth_buffer[buffer_index + n];
}
if (size + block_offset < AES_BLOCK_SIZE) {
// Partial block. Don't increment iv. Compute next block offset.
// Partial block. Don't increment iv. Compute next block
// offset.
block_offset = block_offset + size;
} else {
EXPECT_EQ(static_cast<size_t>(AES_BLOCK_SIZE),
block_offset + size);
// Full block. Increment iv, and set offset to 0 for next block.
// Full block. Increment iv, and set offset to 0 for next
// block.
ctr128_inc64(1, iv);
block_offset = 0;
}
} else {
uint8_t aes_input[AES_BLOCK_SIZE];
for (size_t n = 0; n < size; n++) {
aes_input[n] = truth_buffer_[buffer_index + n] ^ iv[n];
aes_input[n] = sample.truth_buffer[buffer_index + n] ^ iv[n];
}
AES_encrypt(aes_input, &encrypted_buffer_[buffer_index], &aes_key);
memcpy(iv, &encrypted_buffer_[buffer_index], AES_BLOCK_SIZE);
AES_encrypt(aes_input, &sample.encrypted_buffer[buffer_index],
&aes_key);
memcpy(iv, &sample.encrypted_buffer[buffer_index],
AES_BLOCK_SIZE);
// CBC mode should always start on block boundary.
block_offset = 0;
}
}
buffer_index += size;
}
}
} // encryption loop
} // per-subsample loop
} // per-sample loop
}
void LoadLicense() {
@@ -1989,76 +2127,55 @@ class OEMCryptoSessionTestsDecryptTests
void TestDecryptCENC() {
OEMCryptoResult sts;
// If supported, initialize the decrypt hash.
// If supported, check the decrypt hashes.
if (verify_crc_) {
uint32_t hash = wvcrc32(truth_buffer_.data(), truth_buffer_.size());
// OEMCrypto only supports providing a decrypt hash for the first sample
// in the sample array.
const TestSample& sample = samples_[0];
uint32_t hash =
wvcrc32(sample.truth_buffer.data(), sample.truth_buffer.size());
ASSERT_EQ(OEMCrypto_SUCCESS,
OEMCrypto_SetDecryptHash(
session_.session_id(), 1,
reinterpret_cast<const uint8_t*>(&hash), sizeof(hash)));
}
size_t buffer_offset = 0;
for (size_t i = 0; i < subsample_size_.size(); i++) {
// TODO(b/135285640): OEMCrypto_CENCEncryptPatternDesc pattern = pattern_;
bool is_encrypted = false;
size_t block_offset = 0;
uint8_t subsample_flags = 0;
if (subsample_size_[i].clear_size > 0) {
ASSERT_NO_FATAL_FAILURE(UpdateOutputOffset(buffer_offset));
if (i == 0) subsample_flags |= OEMCrypto_FirstSubsample;
if ((i == subsample_size_.size() - 1) &&
(subsample_size_[i].encrypted_size == 0)) {
subsample_flags |= OEMCrypto_LastSubsample;
// Build an array of just the sample descriptions.
std::vector<OEMCrypto_SampleDescription> sample_descriptions;
sample_descriptions.reserve(samples_.size());
for (TestSample& sample : samples_) {
// This must be deferred until this point in case the test modifies the
// buffer before testing decrypt.
sample.description.buffers.input_data = sample.encrypted_buffer.data();
// Append to the description array.
sample_descriptions.push_back(sample.description);
}
#if 0 // TODO(b/135285640): fix this.
sts = OEMCrypto_DecryptCENC(
session_.session_id(), &encrypted_buffer_[buffer_offset],
subsample_size_[i].clear_size, is_encrypted,
sample_init_data_[i].iv, block_offset, &output_descriptor_,
&pattern, subsample_flags);
#endif
// Perform decryption using the test data that was previously set up.
sts = DecryptFallbackChain::Decrypt(
session_.session_id(), sample_descriptions.data(),
sample_descriptions.size(), cipher_mode_, &pattern_);
ASSERT_EQ(OEMCrypto_SUCCESS, sts);
buffer_offset += subsample_size_[i].clear_size;
}
if (subsample_size_[i].encrypted_size > 0) {
ASSERT_NO_FATAL_FAILURE(UpdateOutputOffset(buffer_offset));
is_encrypted = true;
block_offset = sample_init_data_[i].block_offset;
subsample_flags = 0;
if ((i == 0) && (subsample_size_[i].clear_size == 0)) {
subsample_flags |= OEMCrypto_FirstSubsample;
}
if (i == subsample_size_.size() - 1) {
subsample_flags |= OEMCrypto_LastSubsample;
}
#if 0 // TODO(b/135285640): fix this.
sts = OEMCrypto_DecryptCENC(
session_.session_id(), &encrypted_buffer_[buffer_offset],
subsample_size_[i].encrypted_size, is_encrypted,
sample_init_data_[i].iv, block_offset, &output_descriptor_,
&pattern, subsample_flags);
#endif
// CBC mode should not accept a block offset.
if ((block_offset > 0) && (cipher_mode_ == OEMCrypto_CipherMode_CBC)) {
ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, sts)
<< "CBC Mode should reject a non-zero block offset.";
return;
}
ASSERT_EQ(OEMCrypto_SUCCESS, sts);
buffer_offset += subsample_size_[i].encrypted_size;
}
}
if (output_descriptor_.type == OEMCrypto_BufferType_Clear) {
// Validate the decrypted data.
for (TestSample& sample : samples_) {
if (sample.description.buffers.output_descriptor.type ==
OEMCrypto_BufferType_Clear) {
if (decrypt_inplace_) {
// We expect encrypted buffer to have been changed by OEMCrypto.
EXPECT_EQ(encrypted_buffer_, truth_buffer_);
EXPECT_EQ(sample.encrypted_buffer, sample.truth_buffer);
} else {
// If we are not decrypting in place, then look at the one byte just
// after the data that was written. It should not have changed from the
// original 0xaa that we set in MakeBuffersession_.
EXPECT_EQ(0xaa, clear_buffer_[total_size_]) << "Buffer overrun.";
clear_buffer_.resize(total_size_); // Remove padding.
EXPECT_EQ(clear_buffer_, truth_buffer_);
// after the data that was written. It should not have changed from
// the original 0xaa that we set in MakeBuffersession_.
const size_t total_size =
sample.description.buffers.input_data_length;
EXPECT_EQ(0xaa, sample.clear_buffer[total_size]) << "Buffer overrun.";
sample.clear_buffer.resize(total_size); // Remove padding.
EXPECT_EQ(sample.clear_buffer, sample.truth_buffer);
}
}
}
if (global_features.supports_crc) {
@@ -2068,36 +2185,26 @@ class OEMCryptoSessionTestsDecryptTests
}
}
// Parameters of test case
OEMCrypto_CENCEncryptPatternDesc pattern_;
OEMCryptoCipherMode cipher_mode_;
bool decrypt_inplace_; // If true, input and output buffers are the same.
OEMCryptoBufferType output_buffer_type_;
vector<SampleSize> subsample_size_;
size_t total_size_;
bool verify_crc_;
vector<SampleInitData> sample_init_data_;
// Encrypted data -- this is input to OEMCrypto, and output from EncryptData.
std::vector<uint8_t> encrypted_buffer_;
std::vector<uint8_t> clear_buffer_; // OEMCrypto store clear output here.
std::vector<uint8_t> truth_buffer_; // Truth data for clear text.
OEMCrypto_DestBufferDesc output_descriptor_;
int secure_buffer_fid_;
uint8_t key_[AES_BLOCK_SIZE]; // Encryption Key.
std::vector<uint8_t> starting_iv_; // Starting IV.
uint8_t initial_iv_[KEY_IV_SIZE]; // Starting IV for every sample.
std::vector<TestSample> samples_;
Session session_;
};
// Tests that generate partial ending blocks. These tests should not be used
// with CTR mode and pattern encrypt.
class OEMCryptoSessionTestsPartialBlockTests
: public OEMCryptoSessionTestsDecryptTests {};
TEST_P(OEMCryptoSessionTestsDecryptTests, SingleLargeSubsample) {
// This subsample size is larger than a few encrypt/skip patterns. Most
// test cases use a pattern length of 160, so we'll run through at least two
// full patterns if we have more than 320 -- round up to 400.
subsample_size_.push_back(SampleSize(0, 400));
FindTotalSize();
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{0, 400},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2109,8 +2216,9 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, SingleLargeSubsample) {
// We require the CENC standard for OEMCrypto, and let a layer above us break
// samples into pieces if they wish to use the HLS standard.
TEST_P(OEMCryptoSessionTestsDecryptTests, PatternPlusOneBlock) {
subsample_size_.push_back(SampleSize(0, 160 + 16));
FindTotalSize();
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{0, 160 + 16},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2119,8 +2227,9 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, PatternPlusOneBlock) {
// Test that a single block can be decrypted.
TEST_P(OEMCryptoSessionTestsDecryptTests, OneBlock) {
subsample_size_.push_back(SampleSize(0, 16));
FindTotalSize();
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{0, 16},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2128,13 +2237,13 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, OneBlock) {
}
// This tests the ability to decrypt multiple subsamples with no offset.
// There is no offset within the block, used by CTR mode. However, there might
// be an offset in the encrypt/skip pattern.
// There is no offset within the block, used by CTR mode.
TEST_P(OEMCryptoSessionTestsDecryptTests, NoOffset) {
subsample_size_.push_back(SampleSize(25, 160));
subsample_size_.push_back(SampleSize(50, 256));
subsample_size_.push_back(SampleSize(25, 160));
FindTotalSize();
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{25, 160},
{50, 256},
{25, 160},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2146,39 +2255,43 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, NoOffset) {
// the decrypt step.
// If this test fails for CTR mode, then it is probably handling the
// block_offset incorrectly.
TEST_P(OEMCryptoSessionTestsPartialBlockTests, EvenOffset) {
subsample_size_.push_back(SampleSize(25, 8));
subsample_size_.push_back(SampleSize(25, 32));
subsample_size_.push_back(SampleSize(25, 50));
FindTotalSize();
TEST_P(OEMCryptoSessionTestsDecryptTests, EvenOffset) {
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{25, 8},
{25, 32},
{25, 50},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
// CTR Mode is self-inverse -- i.e. We can pick the encrypted data and
// compute the unencrypted data. By picking the encrypted data to be all 0,
// it is easier to re-encrypt the data and debug problems. Similarly, we
// pick an iv = 0.
starting_iv_.assign(AES_BLOCK_SIZE, 0);
truth_buffer_.assign(total_size_, 0);
memset(&initial_iv_[0], 0, KEY_IV_SIZE);
TestSample& sample = samples_[0]; // There is only one sample in this test
sample.truth_buffer.assign(sample.description.buffers.input_data_length, 0);
ASSERT_NO_FATAL_FAILURE(EncryptData());
truth_buffer_ = encrypted_buffer_; // truth_buffer_ = encrypted zero buffer.
sample.truth_buffer =
sample.encrypted_buffer; // truth_buffer_ = encrypted zero buffer.
// Run EncryptData to re-encrypt this buffer. For CTR mode, we should get
// back to zeros.
ASSERT_NO_FATAL_FAILURE(EncryptData());
ASSERT_NO_FATAL_FAILURE(TestDecryptCENC());
}
// If the EvenOffset test passes, but this one doesn't, then DecryptCTR might
// If the EvenOffset test passes, but this one doesn't, then DecryptCENC might
// be using the wrong definition of block offset. Adding the block offset to
// the block boundary should give you the beginning of the encrypted data.
// This should only work for CTR mode, for CBC mode, the block offset must be
// 0, so an error is expected in the decrypt step.
// Another way to view the block offset is with the formula:
// block_boundary + block_offset = beginning of subsample.
TEST_P(OEMCryptoSessionTestsPartialBlockTests, OddOffset) {
subsample_size_.push_back(SampleSize(10, 50));
subsample_size_.push_back(SampleSize(10, 75));
subsample_size_.push_back(SampleSize(10, 25));
FindTotalSize();
TEST_P(OEMCryptoSessionTestsDecryptTests, OddOffset) {
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{10, 50},
{10, 75},
{10, 75},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2196,9 +2309,12 @@ TEST_P(OEMCryptoSessionTestsPartialBlockTests, OddOffset) {
// If you start with an IV of 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE, after you
// increment twice, you should get 0xFFFFFFFFFFFFFFFF0000000000000000.
TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptWithNearWrap) {
starting_iv_ = wvcdm::a2b_hex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE");
subsample_size_.push_back(SampleSize(0, 256));
FindTotalSize();
memcpy(&initial_iv_[0],
wvcdm::a2b_hex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE").data(),
KEY_IV_SIZE);
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{0, 256},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2208,44 +2324,68 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptWithNearWrap) {
// This tests the case where an encrypted sample is not an even number of
// blocks. For CTR mode, the partial block is encrypted. For CBC mode the
// partial block should be a copy of the clear data.
TEST_P(OEMCryptoSessionTestsPartialBlockTests, PartialBlock) {
TEST_P(OEMCryptoSessionTestsDecryptTests, PartialBlock) {
// Note: for more complete test coverage, we want a sample size that is in
// the encrypted range for some tests, e.g. (3,7), and in the skip range for
// other tests, e.g. (7, 3). 3*16 < 50 and 7*16 > 50.
subsample_size_.push_back(SampleSize(0, 50));
FindTotalSize();
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{0, 50},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
ASSERT_NO_FATAL_FAILURE(TestDecryptCENC());
}
// Based on the resource rating, oemcrypto should handle at least
// kMaxNumberSubsamples na kMaxSampleSize
// Based on the resource rating, OEMCrypto should be able to handle the maximum
// amount of data that can be passed to it. This is the lesser of:
//
// 1) The maximum total sample size
// 2) The maximum number of subsamples multiplied by the maximum subsample size
TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptMaxSample) {
size_t max_size = GetResourceValue(kMaxSampleSize);
size_t max_subsample_size = GetResourceValue(kMaxSubsampleSize);
size_t num_subsamples = GetResourceValue(kMaxNumberSubsamples);
if (num_subsamples * max_subsample_size > max_size) {
max_subsample_size = max_size / num_subsamples;
const size_t max_sample_size = GetResourceValue(kMaxSampleSize);
const size_t max_subsample_size = GetResourceValue(kMaxSubsampleSize);
const size_t max_num_subsamples = GetResourceValue(kMaxNumberSubsamples);
// The +1 on this line ensures that, even in cases where max_sample_size is
// not evenly divisible by max_num_subsamples and thus the division gets
// truncated, (max_num_subsamples * subsample_size) will be greater than
// max_sample_size.
size_t subsample_size = max_sample_size / max_num_subsamples + 1;
if (subsample_size > max_subsample_size) {
subsample_size = max_subsample_size;
}
for (size_t i = 0; i < num_subsamples / 2; i += 2) {
subsample_size_.push_back(SampleSize(max_subsample_size, 0));
subsample_size_.push_back(SampleSize(0, max_subsample_size));
size_t bytes_remaining = max_sample_size;
std::vector<SubsampleSize> subsample_sizes;
while (bytes_remaining > 0 && subsample_sizes.size() < max_num_subsamples) {
const size_t this_subsample_size =
(subsample_size <= bytes_remaining) ? subsample_size : bytes_remaining;
const size_t clear_size = this_subsample_size / 2;
const size_t encrypted_size = this_subsample_size - clear_size;
subsample_sizes.push_back({clear_size, encrypted_size});
bytes_remaining -= this_subsample_size;
}
FindTotalSize();
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes(subsample_sizes));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
ASSERT_NO_FATAL_FAILURE(TestDecryptCENC());
}
// This tests that we can decrypt the required maximum number of subsamples.
// Based on the resource rating, OEMCrypto should be able to handle the maximum
// subsample size.
TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptMaxSubsample) {
size_t max_subsample_size = GetResourceValue(kMaxSubsampleSize);
subsample_size_.push_back(SampleSize(max_subsample_size, 0));
subsample_size_.push_back(SampleSize(0, max_subsample_size));
FindTotalSize();
const size_t max = GetResourceValue(kMaxSubsampleSize);
const size_t half_max = max / 2;
// This test assumes that the maximum sample size is always more than three
// times the maximum subsample size.
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{max, 0},
{0, max},
{half_max, max - half_max},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2254,8 +2394,9 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptMaxSubsample) {
// There are probably no frames this small, but we should handle them anyway.
TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptSmallBuffer) {
subsample_size_.push_back(SampleSize(5, 5));
FindTotalSize();
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{5, 5},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2265,8 +2406,9 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptSmallBuffer) {
// Test the case where there is only a clear subsample and no encrypted
// subsample.
TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptUnencrypted) {
subsample_size_.push_back(SampleSize(256, 0));
FindTotalSize();
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{256, 0},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
@@ -2275,11 +2417,12 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptUnencrypted) {
TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptUnencryptedNoKey) {
ASSERT_NO_FATAL_FAILURE(session_.open());
// Single clear subsample
subsample_size_.push_back(SampleSize(400, 0));
// Do not try to compute the CRC because we have not loaded a license.
verify_crc_ = false;
FindTotalSize();
// Single clear subsample
ASSERT_NO_FATAL_FAILURE(SetSubsampleSizes({
{400, 0},
}));
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
// Clear data should be copied even if there is no key selected, and no
// license loaded.
@@ -2288,45 +2431,49 @@ TEST_P(OEMCryptoSessionTestsDecryptTests, DecryptUnencryptedNoKey) {
ASSERT_NO_FATAL_FAILURE(TestDecryptCENC());
}
// This tests the ability to decrypt multiple samples at once.
TEST_P(OEMCryptoSessionTestsDecryptTests, MultipleSamples) {
ASSERT_NO_FATAL_FAILURE(SetSampleSizes({
{
{52, 160},
{25, 256},
{25, 320},
},
{
{300, 64},
{50, 160},
{2, 160},
{24, 160},
{128, 256},
},
{
{70, 320},
{160, 160},
},
}));
ASSERT_NO_FATAL_FAILURE(LoadLicense());
ASSERT_NO_FATAL_FAILURE(MakeBuffers());
ASSERT_NO_FATAL_FAILURE(EncryptData());
ASSERT_NO_FATAL_FAILURE(TestDecryptCENC());
}
// Used to construct a specific pattern.
OEMCrypto_CENCEncryptPatternDesc MakePattern(size_t encrypt, size_t skip) {
OEMCrypto_CENCEncryptPatternDesc pattern;
pattern.encrypt = encrypt;
pattern.skip = skip;
return pattern;
return {encrypt, skip};
}
INSTANTIATE_TEST_CASE_P(
CTRTests, OEMCryptoSessionTestsPartialBlockTests,
CTRTests, OEMCryptoSessionTestsDecryptTests,
Combine(Values(MakePattern(0, 0)), Values(OEMCrypto_CipherMode_CTR),
::testing::ValuesIn(global_features.GetOutputTypes())));
// Decrypt in place for CBC tests was only required in v13.
INSTANTIATE_TEST_CASE_P(
CBCTestsAPI14, OEMCryptoSessionTestsPartialBlockTests,
Combine(
Values(MakePattern(0, 0), MakePattern(3, 7),
// HLS Edge case. We should follow the CENC spec, not HLS spec.
MakePattern(9, 1), MakePattern(1, 9), MakePattern(1, 3),
MakePattern(2, 1)),
Values(OEMCrypto_CipherMode_CBC),
::testing::ValuesIn(global_features.GetOutputTypes())));
INSTANTIATE_TEST_CASE_P(
CTRTestsAPI11, OEMCryptoSessionTestsDecryptTests,
Combine(Values(MakePattern(0, 0), MakePattern(3, 7),
// Pattern length should be 10, but that is not guaranteed.
MakePattern(1, 3), MakePattern(2, 1)),
Values(OEMCrypto_CipherMode_CTR),
::testing::ValuesIn(global_features.GetOutputTypes())));
// Decrypt in place for CBC tests was only required in v13.
INSTANTIATE_TEST_CASE_P(
CBCTestsAPI14, OEMCryptoSessionTestsDecryptTests,
Combine(
Values(MakePattern(0, 0), MakePattern(3, 7),
// HLS Edge case. We should follow the CENC spec, not HLS spec.
MakePattern(9, 1), MakePattern(1, 9),
Values(MakePattern(3, 7), MakePattern(9, 1),
// HLS edge cases. We should follow the CENC spec, not HLS spec.
MakePattern(1, 9), MakePattern(1, 0),
// Pattern length should be 10, but that is not guaranteed.
MakePattern(1, 3), MakePattern(2, 1)),
Values(OEMCrypto_CipherMode_CBC),

1
oemcrypto/test/oemcrypto_unittests.gypi
View File

@@ -7,6 +7,7 @@
{
'sources': [
'oec_device_features.cpp',
'oec_decrypt_fallback_chain.cpp',
'oec_key_deriver.cpp',
'oec_session_util.cpp',
'oemcrypto_session_tests_helper.cpp',