Update BoringSSL API and add ODK v18 support

2023-07-20 21:32:51 +00:00
parent f753fd4084
commit cc6fd4ed71
8 changed files with 30 additions and 15 deletions
--- a/whitebox/WORKSPACE
+++ b/whitebox/WORKSPACE
@@ -65,7 +65,7 @@ http_archive(
 new_git_repository(
    name = "odk_repo",
    build_file = "//external:odk.BUILD",
-    commit = "2bfd670424232fbff4e38f25d06cb28ee4c88b61",  # 17.1
+    commit = "74178f968f2188db27b6f56adcae60f377049f72",  # 18.3
    remote = "https://widevine-partner.googlesource.com/oemcrypto_core_message.git",
 )

--- a/whitebox/api/BUILD
+++ b/whitebox/api/BUILD
@@ -17,7 +17,7 @@ cc_library(
        "//:is_old_api": [],
        "//:is_old_vmpra": [],
        "//conditions:default": [  # Chrome
-            # "HAS_PROVIDER_KEYS",
+            "HAS_PROVIDER_KEYS",
            "ENABLE_LICENSE_PROTOCOL_2_2",
            # Needed when talking to server SDKs [v16.3.3, v16.4.3] with license
            # protocol v2.2 enabled (b/177271059).
--- a/whitebox/api/license_whitebox_process_license_response_core_message_test.cc
+++ b/whitebox/api/license_whitebox_process_license_response_core_message_test.cc
@@ -82,7 +82,8 @@ INSTANTIATE_TEST_SUITE_P(
    ::testing::Combine(
        ::testing::Values(kNoSigningKey, Padding::kNone, Padding::kPKSC8),
        ::testing::Values(OdkVersion::kNone, OdkVersion::k16_3,
-                          OdkVersion::k16_5, OdkVersion::k17_1)));
+                          OdkVersion::k16_5, OdkVersion::k17_1,
+                          OdkVersion::k18_3)));

 // Failure tests

--- a/whitebox/api/test_license_builder.cc
+++ b/whitebox/api/test_license_builder.cc
@@ -198,13 +198,15 @@ std::string GenerateCoreMessage(const std::string& serialized_request,
  constexpr uint32_t nonce = 0xdeadbeef;
  ODK_NonceValues nonce_values{api_minor_version, api_major_version, nonce,
                               session_id};
+  ODK_MessageCounterInfo counters{};

  // Start by making a call to determine how big the core_message for the
  // request needs to be.
  size_t core_message_length = 0;
  auto odk_result = ODK_PrepareCoreLicenseRequest(
      reinterpret_cast<uint8_t*>(const_cast<char*>(serialized_request.data())),
-      serialized_request.size(), &core_message_length, &nonce_values);
+      serialized_request.size(), &core_message_length, &nonce_values,
+      &counters);
  CHECK_EQ(odk_result, OEMCrypto_ERROR_SHORT_BUFFER);

  // Now that we know the size, create |combined_request_message| with room
@@ -216,7 +218,8 @@ std::string GenerateCoreMessage(const std::string& serialized_request,
  odk_result = ODK_PrepareCoreLicenseRequest(
      reinterpret_cast<uint8_t*>(
          const_cast<char*>(combined_request_message.data())),
-      combined_request_message.size(), &core_message_length, &nonce_values);
+      combined_request_message.size(), &core_message_length, &nonce_values,
+      &counters);
  CHECK_EQ(odk_result, OEMCrypto_SUCCESS);

  // As the core_message is the first part of |combined_request_message|,
@@ -513,6 +516,8 @@ uint16_t GetOdkMajorVersion(TestLicenseBuilder::OdkVersion odk_version) {
      return 16;
    case TestLicenseBuilder::OdkVersion::k17_1:
      return 17;
+    case TestLicenseBuilder::OdkVersion::k18_3:
+      return 18;
    case TestLicenseBuilder::OdkVersion::kNone:
      DCHECK(false);
      return 0;
@@ -525,6 +530,7 @@ uint16_t GetOdkMajorVersion(TestLicenseBuilder::OdkVersion odk_version) {
 uint16_t GetOdkMinorVersion(TestLicenseBuilder::OdkVersion odk_version) {
  switch (odk_version) {
    case TestLicenseBuilder::OdkVersion::k16_3:
+    case TestLicenseBuilder::OdkVersion::k18_3:
    case TestLicenseBuilder::OdkVersion::k99:
      return 3;
    case TestLicenseBuilder::OdkVersion::k16_5:
--- a/whitebox/api/test_license_builder.h
+++ b/whitebox/api/test_license_builder.h
@@ -57,6 +57,7 @@ class TestLicenseBuilder {
    k16_3,  // ODK version 16.3
    k16_5,  // ODK version 16.5
    k17_1,  // ODK version 17.1
+    k18_3,  // ODK version 18.3

    k99,    // ODK 16.3, but with the version set to 99 (an arbitrary value).
  };
--- a/whitebox/crypto_utils/rsa_key.cc
+++ b/whitebox/crypto_utils/rsa_key.cc
@@ -44,7 +44,7 @@ namespace {
 bool RsaKeyMatch(const RSA* key1, const RSA* key2) {
  if (!key1 || !key2)
    return false;
-  return BN_cmp(key1->n, key2->n) == 0;
+  return BN_cmp(RSA_get0_n(key1), RSA_get0_n(key2)) == 0;
 }

 std::string OpenSSLErrorString(uint32_t error) {
--- a/whitebox/crypto_utils/rsa_util.cc
+++ b/whitebox/crypto_utils/rsa_util.cc
@@ -407,12 +407,12 @@ bool ConvertToCarmichaelTotient(RSA* rsa) {
  bssl::UniquePtr<BIGNUM> d(BN_new());
  // This calculates d = e^-1 (mod lcm(p-1, q-1)).
  // This is equivalent to what is used in RSA_generate_key in BoringSSL.
-  if (!BN_sub(pm1.get(), rsa->p, BN_value_one()) ||
-      !BN_sub(qm1.get(), rsa->q, BN_value_one()) ||
+  if (!BN_sub(pm1.get(), RSA_get0_p(rsa), BN_value_one()) ||
+      !BN_sub(qm1.get(), RSA_get0_q(rsa), BN_value_one()) ||
      !BN_mul(totient.get(), pm1.get(), qm1.get(), ctx.get()) ||
      !BN_gcd(gcd.get(), pm1.get(), qm1.get(), ctx.get()) ||
      !BN_div(totient.get(), nullptr, totient.get(), gcd.get(), ctx.get()) ||
-      !BN_mod_inverse(d.get(), rsa->e, totient.get(), ctx.get())) {
+      !BN_mod_inverse(d.get(), RSA_get0_e(rsa), totient.get(), ctx.get())) {
    return false;
  }

@@ -423,11 +423,10 @@ bool ConvertToCarmichaelTotient(RSA* rsa) {
    return false;
  }

-  // TODO(user): Replace this with |RSA_set0_key| once BoringSSL has
-  // finished transitioning to the OpenSSL 1.1.0 API.
-  BN_free(rsa->d);
-  rsa->d = d.release();
-
+  if (!RSA_set0_key(rsa, BN_dup(RSA_get0_n(rsa)), BN_dup(RSA_get0_e(rsa)),
+                    d.release())) {
+    return false;
+  }
  if (!RSA_check_key(rsa)) {
    return false;
  }
--- a/whitebox/reference/impl/odk.cc
+++ b/whitebox/reference/impl/odk.cc
@@ -28,6 +28,8 @@ WB_Result GetODKContext(const std::string& combined_message,
  // By using initial_license_load==false, ODK won't validate the nonce.
 #if ODK_MAJOR_VERSION == 16
  uint8_t request_hash[16];
+#elif ODK_MAJOR_VERSION == 18
+  uint64_t clock_value = 0;
 #endif
  for (bool usage_entry_present : {false, true}) {
    // Parse using both values for |usage_entry_present|, it needs to match the
@@ -40,8 +42,14 @@ WB_Result GetODKContext(const std::string& combined_message,
        /* initial_license_load= */ false, usage_entry_present,
 #if ODK_MAJOR_VERSION == 16
        request_hash,
+#elif ODK_MAJOR_VERSION == 18
+        clock_value,
 #endif
-        &timer, &clock, &nonce, &context->license);
+        &timer, &clock, &nonce, &context->license
+#if ODK_MAJOR_VERSION == 18
+        , &clock_value
+#endif
+        );
    if (result != ODK_ERROR_CORE_MESSAGE) break;
  }
  if (result != OEMCrypto_SUCCESS) {