Add support for encrypted WebM files as defined in the RFC.

media/crypto/aes_decryptor.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "media/crypto/aes_decryptor.h"
 
 #include "base/logging.h"
 #include "base/stl_util.h"
 #include "base/string_number_conversions.h"
-#include "base/string_piece.h"
 #include "crypto/encryptor.h"
+#include "crypto/hmac.h"
 #include "crypto/symmetric_key.h"
 #include "media/base/decoder_buffer.h"
 #include "media/base/decrypt_config.h"
 #include "media/base/decryptor_client.h"
 
 namespace media {
 
-// TODO(xhwang): Get real IV from frames.
-static const char kInitialCounter[] = "0000000000000000";
+// The size is from the WebM encrypted specification. Current encrypted WebM
+// request for comments specification is here
+// http://wiki.webmproject.org/encryption/webm-encryption-rfc
+static const int kWebmSha1DigestSize = 20;
+static const char kWebmHmacSeed[] = "hmac-key";
+static const char kWebmEncryptionSeed[] = "encryption-key";
 
 uint32 AesDecryptor::next_session_id_ = 1;
 
-// Decrypt |input| using |key|.
+// Derives a key using SHA1 HMAC. |secret| is the base secret to derive
+// the key from. |seed| is the known message to the HMAC algorithm. |key_size|
+// is how many bytes are returned in the key. Returns a string containing the
+// key on success. Returns an empty string on failure.
+static std::string DeriveKey(const base::StringPiece& secret,
+                             const base::StringPiece& seed,
+                             int key_size) {
+  CHECK(!secret.empty());
+  CHECK(!seed.empty());
+  CHECK_GT(key_size, 0);
+
+  crypto::HMAC hmac(crypto::HMAC::SHA1);
+  if (!hmac.Init(secret)) {
+    DVLOG(1) << "Could not initialize HMAC with secret data.";
+    return std::string();
+  }
+
+  scoped_array<uint8> calculated_hmac(new uint8[hmac.DigestLength()]);
+  if (!hmac.Sign(seed, calculated_hmac.get(), hmac.DigestLength())) {
+    DVLOG(1) << "Could not calculate HMAC.";
+    return std::string();
+  }
+
+  return std::string(reinterpret_cast<const char*>(calculated_hmac.get()),
+                     key_size);
+}
+
+// Checks data in |input| matches the HMAC in |input|. The check is using the
+// SHA1 algorithm. |hmac_key| is the key of the HMAC algorithm. Returns true if
+// the integrity check passes.
+static bool CheckData(const DecoderBuffer& input,
+                      const base::StringPiece& hmac_key) {
+  CHECK(input.GetDataSize());
+  CHECK(input.GetDecryptConfig());
+  CHECK_GT(input.GetDecryptConfig()->checksum_size(), 0);
+  CHECK(!hmac_key.empty());
+
+  crypto::HMAC hmac(crypto::HMAC::SHA1);
+  if (!hmac.Init(hmac_key))
+    return false;
+
+  // The HMAC covers the IV and the frame data.
+  base::StringPiece data_to_check(
+      reinterpret_cast<const char*>(input.GetData()), input.GetDataSize());
+
+  scoped_array<uint8> calculated_hmac(new uint8[hmac.DigestLength()]);
+  if (!hmac.Sign(data_to_check, calculated_hmac.get(), hmac.DigestLength()))
+    return false;
+
+  CHECK(input.GetDecryptConfig()->checksum_size() <=

[ddorwin, 2012/07/13 00:48:00]

DCHECK? Do we need this in opt builds?

[fgalligan1, 2012/07/13 21:40:41]

Done.

+        static_cast<int>(hmac.DigestLength()));
+  if (memcmp(input.GetDecryptConfig()->checksum(),
+             calculated_hmac.get(),
+             input.GetDecryptConfig()->checksum_size()) != 0)
+    return false;
+  return true;
+}
+
+// Decrypt |input| using |key|. |encrypted_data_offset| is the number of bytes

[ddorwin, 2012/07/13 00:48:00]

Decrypts...
Returns...

[fgalligan1, 2012/07/13 21:40:41]

Done.

+// into |input| that the encrypted data starts.
 // Return a DecoderBuffer with the decrypted data if decryption succeeded.
 // Return NULL if decryption failed.
 static scoped_refptr<DecoderBuffer> DecryptData(const DecoderBuffer& input,
-                                                crypto::SymmetricKey* key) {
+                                                crypto::SymmetricKey* key,
+                                                int encrypted_data_offset) {
   CHECK(input.GetDataSize());
+  CHECK(input.GetDecryptConfig());
   CHECK(key);
 
-  // Initialize encryption data.
-  // The IV must be exactly as long as the cipher block size.
+  // Initialize decryptor.
   crypto::Encryptor encryptor;
-  if (!encryptor.Init(key, crypto::Encryptor::CBC, kInitialCounter)) {
-    DVLOG(1) << "Could not initialize encryptor.";
+  if (!encryptor.Init(key, crypto::Encryptor::CTR, "")) {
+    DVLOG(1) << "Could not initialize decryptor.";
+    return NULL;
+  }
+
+  // Set the counter block.
+  base::StringPiece counter_block(
+      reinterpret_cast<const char*>(input.GetDecryptConfig()->iv()),
+      input.GetDecryptConfig()->iv_size());
+  if (counter_block.empty()) {
+    DVLOG(1) << "Could not generate counter block.";
+    return NULL;
+  }
+  if (!encryptor.SetCounter(counter_block)) {

[ddorwin, 2012/07/13 00:48:00]

This version handles smaller IVs so we don't need to zero-out as before? Or are
you assuming they are correct? If the latter, we should probably specify that
somewhere. Also, we could at least DCHECK(iv_size==16), right?
And does DecryptConfig need to assume/enforce this too?

[fgalligan1, 2012/07/13 21:40:41]

The latter. This code could handle larger or smaller depending on the key size.
But webm and ISO currently define that encryption must be 128bits, so this will
always be 16. SetCounter() checks for 16 bytes as well. So I think it is fine to
enforce this here and DecryptConfig now that I moved the generation of the
counter_block to the demuxer.

+    DVLOG(1) << "Could not set counter block.";
     return NULL;
   }
 
   std::string decrypted_text;
-  base::StringPiece encrypted_text(
-      reinterpret_cast<const char*>(input.GetData()),
-      input.GetDataSize());
+  const char* frame =
+      reinterpret_cast<const char*>(input.GetData() + encrypted_data_offset);
+  int frame_size = input.GetDataSize() - encrypted_data_offset;
+  base::StringPiece encrypted_text(frame, frame_size);
   if (!encryptor.Decrypt(encrypted_text, &decrypted_text)) {
     DVLOG(1) << "Could not decrypt data.";
     return NULL;
   }
 
   // TODO(xhwang): Find a way to avoid this data copy.
   return DecoderBuffer::CopyFrom(
       reinterpret_cast<const uint8*>(decrypted_text.data()),
       decrypted_text.size());
 }
@@ skipping 45 matching lines @@
   if (!init_data) {
     init_data = kDummyInitData;
     init_data_length = arraysize(kDummyInitData);
   }
 
   // TODO(xhwang): For now, use |init_data| for key ID. Make this more spec
   // compliant later (http://crbug.com/123262, http://crbug.com/123265).
   std::string key_id_string(reinterpret_cast<const char*>(init_data),
                             init_data_length);
   std::string key_string(reinterpret_cast<const char*>(key) , key_length);
-  crypto::SymmetricKey* symmetric_key = crypto::SymmetricKey::Import(
-      crypto::SymmetricKey::AES, key_string);
-  if (!symmetric_key) {
-    DVLOG(1) << "Could not import key.";
+  DecryptionKey* decrypt_key = new DecryptionKey(key_string);

[ddorwin, 2012/07/13 00:48:00]

decryption_key for consistency?

[fgalligan1, 2012/07/13 21:40:41]

Done.

+  if (!decrypt_key) {
+    DVLOG(1) << "Could not create key.";
     client_->KeyError(key_system, session_id, Decryptor::kUnknownError, 0);
     return;
   }
 
   {
     base::AutoLock auto_lock(key_map_lock_);
     KeyMap::iterator found = key_map_.find(key_id_string);
     if (found != key_map_.end()) {
       delete found->second;
       key_map_.erase(found);
     }
-    key_map_[key_id_string] = symmetric_key;
+    key_map_[key_id_string] = decrypt_key;
   }
 
   client_->KeyAdded(key_system, session_id);
 }
 
 void AesDecryptor::CancelKeyRequest(const std::string& key_system,
                                     const std::string& session_id) {
 }
 
 scoped_refptr<DecoderBuffer> AesDecryptor::Decrypt(
     const scoped_refptr<DecoderBuffer>& encrypted) {
   CHECK(encrypted->GetDecryptConfig());
   const uint8* key_id = encrypted->GetDecryptConfig()->key_id();
   const int key_id_size = encrypted->GetDecryptConfig()->key_id_size();
 
   // TODO(xhwang): Avoid always constructing a string with StringPiece?
   std::string key_id_string(reinterpret_cast<const char*>(key_id), key_id_size);
 
-  crypto::SymmetricKey* key = NULL;
+  DecryptionKey* key = NULL;
   {
     base::AutoLock auto_lock(key_map_lock_);
     KeyMap::const_iterator found = key_map_.find(key_id_string);
     if (found == key_map_.end()) {
+      // TODO(fgalligan): Should this throw a decryptor error here?

[ddorwin, 2012/07/13 00:48:00]

That or needkey. There is some debate about which and how. Maybe xhwang has some
thoughts, but at least pick one.

[xhwang, 2012/07/13 01:23:21]

Yeah, either way. Based on the spec, we should fire a needkey event here. But
that part is not implemented yet.

[fgalligan1, 2012/07/13 21:40:41]

Added a TODO to fire a need_key event here.

       DVLOG(1) << "Could not find a matching key for given key ID.";
       return NULL;
     }
     key = found->second;
   }
 
-  scoped_refptr<DecoderBuffer> decrypted = DecryptData(*encrypted, key);
+  int checksum_size = encrypted->GetDecryptConfig()->checksum_size();
+  if (!key->initialized()) {
+    if (!key->Init(checksum_size > 0)) {

[ddorwin, 2012/07/13 00:48:00]

As mentioned in a reply, I don't think this should be here. Moving it back also
allows you to throw an error (line 242).

[fgalligan1, 2012/07/13 21:40:41]

Done.

+      base::AutoLock auto_lock(key_map_lock_);
+      KeyMap::iterator found = key_map_.find(key_id_string);
+      if (found != key_map_.end()) {
+        delete found->second;
+        key_map_.erase(found);
+      }
+      DVLOG(1) << "Could not initialize decryption key.";
+      // TODO(fgalligan): Should this throw a decryptor error here?
+      return NULL;
+    }
+  }
 
+  // According to the WebM encrypted specification, if an encrypted frame fails
+  // the integrity check the media system should drop that encrypted frame and
+  // continue with the next frame.

[ddorwin, 2012/07/13 00:48:00]

Hmm. What is the reason for that? Dealing with network issues? Shouldn't the
user be made aware that something is wrong with the stream?

What does the HTML5 spec say about single-frame decode failures? Could similar
network corruption issues cause unencrypted content to stop but encrypted
content to continue?

[fgalligan1, 2012/07/13 21:40:41]

This was requested by one of the security guys, but I don't have why written
down and it was a while ago. I don't know under what situation playback would be
good after an IC failure. Either you have corrupted data or someone is
explicitly messing with the data. Either situation seems like you should stop
playing the stream and throw an error. I can remove the text from the RFC and
add it as an open issue of what the client should do after an IC failure.

+  // http://wiki.webmproject.org/encryption/webm-encryption-rfc
+  if (checksum_size > 0 && !CheckData(*encrypted, key->hmac_key())) {
+    DVLOG(1) << "Integrity check failed.";
+    return NULL;
+  }
+
+  scoped_refptr<DecoderBuffer> decrypted =
+      DecryptData(*encrypted,
+                  key->decryption_key(),
+                  encrypted->GetDecryptConfig()->encrypted_frame_offset());
   if (decrypted) {
     decrypted->SetTimestamp(encrypted->GetTimestamp());
     decrypted->SetDuration(encrypted->GetDuration());
   }
 
   return decrypted;
 }
 
+AesDecryptor::DecryptionKey::DecryptionKey(
+    const std::string& secret)
+    : initialized_(false),
+      secret_(secret) {
+}
+
+AesDecryptor::DecryptionKey::~DecryptionKey() {}
+
+bool AesDecryptor::DecryptionKey::Init(bool derive_hmac) {

[ddorwin, 2012/07/13 00:48:00]

derive_webm_keys
It's not really deriving an hmac (only), right?

[fgalligan1, 2012/07/13 21:40:41]

Right, I was just trying to keep webm name out of the class. But
derive_webm_keys is more accurate.

+  CHECK(!initialized_);
+  CHECK(!secret_.empty());
+
+  if (!derive_hmac) {

[ddorwin, 2012/07/13 00:48:00]

nit: Prefer positive logic when there is an if-else.

[fgalligan1, 2012/07/13 21:40:41]

Done.

+    decryption_key_.reset(
+        crypto::SymmetricKey::Import(crypto::SymmetricKey::AES, secret_));
+    if (!decryption_key_.get()) {
+      return false;
+    }
+  } else {
+    std::string raw_key = DeriveKey(secret_,
+                                    kWebmEncryptionSeed,
+                                    secret_.length());
+    if (raw_key.empty()) {
+      return false;
+    }
+    decryption_key_.reset(
+        crypto::SymmetricKey::Import(crypto::SymmetricKey::AES, raw_key));
+    if (!decryption_key_.get()) {
+      return false;
+    }
+
+    hmac_key_ = DeriveKey(secret_, kWebmHmacSeed, kWebmSha1DigestSize);
+    if (hmac_key_.empty()) {
+      return false;
+    }
+  }
+
+  initialized_ = true;
+  return true;
+}
+
 }  // namespace media