(This is a merge of http://go/wvgerrit/151112.)
The Widevine CDMs have never validated the padding on AES keys. However,
the code to ignore the padding was unusual and based on the assumption
the keys would always have either 0 or 16 bytes of padding and did not
handle other cases correctly. This patch updates the padding-ignoring
code to just do the obvious thing: Reject keys that are too small and
ignore all extra bytes regardless of count.
Bug: 114159862
Test: x86-64
Change-Id: Ic48010477e4cb5f7d2afbde25cf2f098e3470089
[ Merge of http://go/wvgerrit/149690 ]
This changes extends the CryptoSession logging to include the OEMCrypto
session ID in its decrypt failure logs, and adds a new CdmSession
decrypt failure log which includes the CDM session ID. The CDM session
directly maps to the MediaDRM session ID, making app debugging easier.
The Decrypt() code pathway is one of the most frequently called
portions of the CDM code, and the pathway attempts to make as few
logging calls as possible in order to keep latency low and log
verbosity to a minimum. It is anticiapted that when a call to
Decrypt() fails, there will be a burst of failures as the app may
make several calls to Decrypt() before handling the first decrypt
error.
To keep logging low, the following rules are followed:
- CryptoSession: decrypt errors are only logged when the decrypt error
changes.
- CdmSession: decrypt errors are only logged when the last call to
decrypt had succeeded.
Bug: 183984396
Test: MediaGTS with decrypt failures
Change-Id: Ic6124646d129efbc8a690b5bfd4dc422e04e677b
(This is a merge of http://go/wvgerrit/150131 to the Android repo.)
This patch changes the code path in the CDM so that the first-stage
provisioning request for Provisioning 4.0 is always encrypted with the
Widevine service certificate instead of the client-set service
certificate, reflecting that the first-stage provisioning is always
handled by Widevine.
This patch also makes several methods on the ServiceCertificate class
const. This has no impact on their behavior.
Bug: 221443151
Test: prov40 tests
Change-Id: Ide4c3927afadcd45ae7fb629b99e2f55cc29d56e
[ Merge of http://go/wvgerrit/150630 ]
DeviceFiles uses a static variable for tracking license IDs which
have been reserved by a CDM session before officially storing the
license on the device. This variable was not protected by a mutex,
and a rare race condition would arise, either crashing the service
or getting it stuck in a loop.
This CL adds a mutex for protecting the set of reserved IDs.
Bug: 226555704
Test: device_files_unittest
Change-Id: Icdea88673c76c267b4b7db79697ec52ae8e2581e
[ Merge of http://go/wvgerrit/148552 ]
Extended the CDM layer to report OEMCrypto's watermarking support.
The reporting of watermarking comes in three (3) mechanisms:
1) ClientCapabilities in license requests
2) CryptoSession metrics when queried to OEMCrypto
3) String property query by apps
If OEMCrypto implementents OEMCrypto_GetWatermarkingSupport(), then
the reported watermarking support by the CDM will match that of
OEMCrypto.
If OEMCrypto does not implement OEMCrypto_GetWatermarkingSupport()
or an error occurs, it is assumed that OEMCrypto does not support
watermarking, and the CDM will report "Not Supported".
Bug: 226443788
Test: run_x86_64_tests request_license_test and license_unittest
Change-Id: Id929a356c395e6bcf45d371ee6887eec40d35329
[ Merge of http://go/wvgerrit/149130 ]
When re-initializing OEMCrypto for testing purposes, the
UsageTableHeader must be reset as well. This is to inform future
sessions to load or create a new header before creating new entries.
Bug: 219075437
Test: request_license_test and MediaDrmTests GTS
Change-Id: Ie8bc72bc7ea079d21587e114223fcb67547c756a
[ Merge of http://go/wvgerrit/148469 ]
OEMCrypto_GetOEMPublicCertificate needed to be called
before the OEM private key was loaded due to a bug in OEMCrypto.
The bug has been addressed and the call can now be removed.
OEMCrypto_GetOEMPublicCertificate is only applicable to
devices with OEM certs as their root of trust. Devices with
keyboxes (or BCC) as their RoT would return a spurious
error OEMCrypto_ERROR_NOT_IMPLEMENTED. Removing the call
addresses this as well.
Bug: 190231658
Test: WV unit/integration test
Change-Id: I8216ca5a78b8c2acb5681c7f599cdc41efdf9fc7
[ Merge of http://go/wvgerrit/148450 ]
This CL adds threading requirements to the method doc-comments of
UsageTableHeader.
Bug: 189366337
Test: usage_table_header_unittest
Change-Id: I671f702d3e8ec219cc8daaa220133cb8cec183c8
[ Merged from http://go/wvgerrit/143750 ]
The old test license holder would generate a minimal license response,
but could not correctly mimic important server logic introduced in the
v16 server. Since all integration tests now have policies on the UAT
server, we do not need these minimalist license responses anymore.
Bug: 192700112
Test: GtsMediaTestCases on sunfish
Change-Id: I78c1b6085a6d0239840a11f2b904902210e5e61c
[ Merged from http://go/wvgerrit/143635 ]
Use a license holder for the generic crypto tests.
Bug: 192700112
Test: GtsMediaTestCases on sunfish
Change-Id: Ia2c802263562b11845e55ae0a24254ea54e364c7
[ Merge of http://go/wvgerrit/143749 ]
Tests are added to verify that the policy durations are enforced for
an offline license after a device has been rebooted.
Bug: 26163469
Test: GtsMediaTestCases on sunfish
Change-Id: I54e65d7abc5e59eae7c150555b2244dbf96da3f5
[ Merge of http://go/wvgerrit/143634 ]
Refactor the policy integration tests to use the license holder.
Bug: 195691232
Test: GtsMediaTestCases on sunfish
Change-Id: I58ffa64caec05c617065e4781657e85914f8369e
Merged from http://go/wvgerrit/146154
Many integration tests require a license from a license server. This
CL creates a helper class to fetch, load, and hold a license.
Test: ./build_and_run_all_unit_tests.sh
Bug: 194342800
Bug: 194342778
Change-Id: I0de7bcab4db1b365f074bad29fc157a5eca135d8
[ Merge of http://go/wvgerrit/143630 ]
When we run a test with the fake clock, the clock had been initialized
to the current time, or to 0. This causes a problem for reboot tests
because the clock might go backwards over the reboot. With this
change, we monitor the clock at the end of one reboot pass and
initialize the clock for the next pass based on the previous value.
Bug: 26163469
Test: GtsMediaTestCases on sunfish
Change-Id: Ibd0024f963634382af70553fced38da6e1d857d2
[ Merge of http://go/wvgerrit/143629 ]
The standard b2a_hex only saves about 2k, so we need a special version
that can handle larger strings. This is needed because a license file
is about 7k.
Bug: 194342751
Test: GtsMediaTestCases on sunfish
Change-Id: I6a6ac3f8f4fa6d9cd8a0119fc64fc8f3cc5f3ae8
The interface is defined in
hardware/interfaces/drm/aidl(http://go/ag/15329852).
Test: build
m android.hardware.drm-service.widevine -j128
Test: build_and_run_all_unit_tests.sh
for hidl tests
Test: atest VtsAidlHalDrmTargetTest
Bug: 200055138
Bug: 170964303
Change-Id: If2f2a129914436ba5cef1c46f6cb9415e12c3d1c
(This is a merge of http://go/wvgerrit/140850.)
This patch fixes a number of minor issues in the codebase (mostly
instances of 0-as-nullptr, but also some member shadowing and a missing
override) that were being hidden by the fact that depending on Protobuf
disables these diagnostics. And which will be unhidden when a later
patch removes that behavior from Protobuf.
Bug: 208304830
Test: x86-64
Change-Id: I4b0b1264748880b3726a6388d589868d898f949e
(This is a merge of http://go/wvgerrit/139989.)
Googletest added a new, more powerful MOCK_METHOD() macro in 1.10. This
patch updates all our usage of the old MOCK_METHOD family to the new
macro. Full details can be found at
https://github.com/google/googletest/blob/release-1.10.0/googlemock/docs/cook_book.md#creating-mock-classes
but in brief, the new MOCK_METHOD() replaces the entire old MOCK_METHOD
family and has the following advantages:
1) No need to count parameters or update the macro name when changing
parameters.
2) No need for a different macro for const methods.
3) The ability to specify override, noexcept, and other function
qualifiers.
4) The macro order is now the same as C++ method definition order:
Return Type -> Name -> Arguments -> Qualifiers
In addition to upgrading all our usage sites to the new macro, the
addition of the override qualifier to our MOCK_METHODs helped uncover
several cases where we were using MOCK_METHOD to override methods that
didn't exist. This is a great example of why the override qualifier is
so useful. These places have been updated, by removing the invalid and
unused mock method.
Bug: 207693687
Test: build_and_run_all_unit_tests
Change-Id: Iaad4a22c7f72bb48b1356fe01a41eb0a2f555244
[ Merge of http://go/wvgerrit/143370 ]
[ Cherry-pick off http://ag/16624952 ]
Devices without a keybox may not have access to a device ID if the OEM
uses the device ID from the keybox as its source of truth. For
devices which have lost their keybox, OEMCrypto_GetDeviceID() was
assumed to return ERROR_KEYBOX_INVALID if that was the case; however,
Qualcomm's implementation was returning ERROR_NO_DEVICEID. Given that
both error codes are appropriate, the CDM has been updated to accept
both as an indication that the device ID cannot be retrieved, and that
the null device ID should be returned.
Bug: 190504842
Bug: 214113125
Test: Manual test
Change-Id: I8fb8a1bddfe895062b707b51fcadffd983adb40e
Merge from Widevine repo of http://go/wvgerrit/142349
If a provisioning request is sent, but no response is loaded, we
should fall back to L3. This covers the case where the OTA request is
malformed and the provisioning server ignores it.
This might happen if the device has a bad KM key.
Test: manual testing
Bug: 210823889
Bug: 210807585
Change-Id: I951241539ace97b668868d5abf8a9811d874fb28
Merge from Widevine repo of http://go/wvgerrit/142150 (part 2)
For an EVT device, without a keybox or with a test keybox, we want it
to fall back to L3. However, when running the unit or integration
tests it should continue running tests with test keybox. This will
allow us to test L1 oemcrypto on an EVT device, while still using an
EVT device for dogfooding video content at the L3 level.
Bug: 210807585
Bug: 210823889
Change-Id: I30c35134239db35bb39f11f75220063181987763
[ Merge of http://go/wvgerrit/142249 and http://go/ag/16307264 ]
This adds concurrency protection to a session when policy
timers are reset to from v15 to v16. The v15 policy timer may still be
in use by the decryption thread.
Bug: 204282907
Bug: 207304220
Test: Unit/Integration tests, GtsMediaTestCases
Change-Id: I4967b3927e47733fb23a1a12b6094d1cd2072918
[ Merge of http://go/wvgerrit/142229 and http://go/ag/16147655 ]
This adds concurrency protection to a session when keys or a
license is removed from a session.
Bug: 195625322
Test: GtsMediaTestCases, unit/integration tests, YT EME conformance test
Change-Id: I38601a58dc593ce053cb5457b9d42d2c35f3f041
Merge from Widevine repo of http://go/wvgerrit/142149
This CL updates the TestCryptoSession so that it will recover from
initializing without a keybox. This allows unit and integration tests
to be run using a test keybox on a device that does not have any
keybox.
Bug: 210807585
Bug: 161925952
Change-Id: I8639bd733a50ae5af3a7c786347b5a06a9d783ce
Merge from Widevine repo of http://go/wvgerrit/142049
This CL is test only code. A nonce flood was causing the OTA test to
be a little flaky when run on the automatic testing platform Luci.
Bug: 205889158
Change-Id: I4f3e5d8469b899e565c430bd46994e098c5d94e6
[ Merge of http://go/wvgerrit/142089 ]
[ Cherry-pick of http://ag/16496425 ]
Qualcomm's implementation of GenerateOTARequest requires an open
session before attempting to generate an OTA keybox request. When
checking for OTA keybox support, the dynamic layer was not opening
a session, getting a different error than expected. Coincidentally,
this would trick the dynamic layer to thinking it was supported, but
hides useful error information.
Bug: 210823889
Test: Android manual testing
Change-Id: I60662d2d9d411c0f999b619d6088aabdba55e2c3
[ Merge of http://go/wvgerrit/141949 ]
[ Cherry-pick of http://ag/16496424 ]
If the debug count for ignoring an L1 keybox is still non-zero after
successfully processing an OTA keybox request, the dynamic layer MUST
return a failure to the CDM to keep the CDM and dynamic layer in
agreement that the L1 keybox should continue be treated as invalid.
This will trigger a fallback; but the fallback can be canceled via
the debugging app.
Bug: 210823889
Test: Android manual testing
Change-Id: I75f50ba605d17872c0e8abffc1eee13ff539f01c
Merge from Widevine repo of http://go/wvgerrit/139372
Revert workaround for falling back to L3
(Partially merged previously)
Merge from Widevine repo of http://go/wvgerrit/139498
Guard against double initialize
(Partially merged previously)
Merge from Widevine repo of http://go/wvgerrit/139343
Use a placeholder ID for devices missing a system ID
Merge from Widevine repo of http://go/wvgerrit/140934
Check security-level during OpenSession.
Merge from Widevine repo of https://go/wvgerrit/141469
Make OTAKeyboxSupported handle the short buffer return
code
Bug: 187646550
Bug: 206670307
Bug: 206570220
Bug: 205896558
Bug: 205041153
Test: Manual test on flame
Change-Id: I71f5faf6b611337b82d8b6179251f6b0224780e6
[ Cherry-pick of http://ag/15245767 ]
[ Merge of http://go/wvgerrit/128624 ]
The CDM session was incorrectly recording the "license SDK version" as
the "license service version" in the session metrics. This
discrepancy reduces the quality of devices' metrics and limits
debugging capabilities for the Widevine metric monitoring services.
Bug: 193177333
Test: Linux unit tests
Change-Id: Ic58cf7bc4fde777bb590c05777b76f5ff5c2f1ea
(cherry picked from commit 78278c3eb4)
