[ Merge of http://go/wvgerrit/25643 ]
The MediaDrm#provideKeyResponse API states that an empty byte array is
returned when the license type is streaming or release but a non-empty
value was being returned in some cases.
The KeySetId is now returned when the license type is offline or when
the license is streaming and has a secure stop associated with it.
Test: Verified by request_license_test integration tests. Tests have been
modified to validate the returned Key Set Id values.
b/36093612
Change-Id: I82dba537c77ddd1d1876cbce58729f3db901ee51
[ Merge of http://go/wvgerrit/25781 ]
The security level (software/hardware, decryption/decode)
in the policy that specified how the key was to be used was
not being respected for L3. Playback would either continue or
a vendor specific error would be thrown.
If the device cannot use the key as permitted by the policy
CryptoException#ERROR_INSUFFICIENT_OUTPUT_PROTECTION will be thrown.
Test: Verified by WV unit+integration tests.
Verified by WidevineDashPolicyTests
Verified by WidevineDashPolicyTests#testL3SoftwareSecureDecoderRequired,
testL3HardwareSecureCryptoRequired, testL3HardwareSecureDecodeRequired,
testL3SecureVideoPathRequired.
b/31913737
b/31913439
Change-Id: Ibfc7f3dd6fc7264e8cf9b0d33f6f8d619eed6c00
Add a check for invalid session size in restoreKeys
and correct the return code when attempting to create a
plugin with an invalid uuid. Also correct the return code
when attempting to decrypt after keys have been removed.
bug:37172151
Change-Id: I7e832ffe04081471a0cdb3a9329808f47f12cfc3
[ Merge of http://go/wvgerrit/24022 ]
b/34327459
Test: Verified by unit, integration tests on angler
Change-Id: Idb17dc472dddbdad217c35bdaa3fb20ae8152371
[ Merge of http://go/wvgerrit/23742 ]
In OEMCrypto V13, usage table header and usage entries are stored in
persistent non-secure storage and loaded and unloaded from the TEE.
Information needs to be maintained to assist finding the associated license
or usage information. This information has been revised for usage information
to use key set id and usage info file name rather than provider session
token and app id.
The app id is stored in a hashed form (usage info file name) and was not
extractable during the upgrade process to OEMCrypto V13. Due to this
DeviceFiles UsageInfo routines have switched to use usage info file name
rather than app id as a key.
b/34327459
Test: Verified by unit/integration tests on angler
Change-Id: I95aa0435d0955c61fc45b951f5b5d44de2ba5cfc
[ Merge of http://go/wvgerrit/23741 ]
Usage entries and usage entry numbers need to be stored with license
and usage information, to facilitate loading usage entries when offline
licenses/usage information are restored or prepared for release.
b/34327459
Test: Validated by running unit/integration tests on angler.
Change-Id: I0949fc4cec8a50be0a7700b659dc12bb82ac6f73
There were warnings about unused parameters and unnecessary "const"
that were hiding other warnings. This change resolves those
warnings and resolves some constructor list ordering warnings
that were hidden among the other warnings.
Bug: 34784667
Change-Id: Ied78b00d3565abd66f90dbd1f4cce635dae7b957
This change is the complete Widevine metrics system. It will
measure and record runtime information about what is happening
in the CDM - such as errors and throughput.
Bug: 33745339
Bug: 26027857
Change-Id: Ic9a82074f1e2b72c72d751b235f8ae361232787d
[ Merge of http://go/wvgerrit/23161 ]
The usage table redesign will require storing usage table headers
and usage entries in non-secure persistent store. This information
will be signed by the TEE to prevent against modification. New
Storage and retrieval methods have been added for usage table headers,
while usage entries will be stored alongside (offline) licenses and
(secure stops/)usage info.
b/34327459
Test: All unittests, including newly introduced ones other than some
oemcrypto, request_license_test passed. Those tests failed with or without
this CL.
Change-Id: I9b8d6210e33774b0803f8af1711b2d593d467aec
[ Merge of http://go/wvgerrit/22900 ]
Add GetClientToken(), GetProvisioningToken(), GetPreProvisionTokenType()
to CryptoSession. They return the correct token bytes and token type
for preparing the ClientIdentification message for provisioning and
license server transactions.
Also refactor service certificate handling.
OEM certs are introduced in Provisioning 3.0
b/30811184
* Address build breaks
[ Merge of http://go/wvgerrit/23162 ]
This addresses issues introduced by http://go/wvgerrit/22900
b/30811184
* When http://go/wvgerrit/18012 was merged (ag/1446934) some changes
were not merged for mapErrors-inl.h. These changes are included in this CL.
* When ag/1678104 was reverse merged to http//go/wvgerrit/21981/ a variable
was renamed and some comments were added to add clarity in cdm_engine.cpp.
These changes are included in this CL.
Test: All unittests other than some oemcrypto, request_license_test
passed. Those tests failed with or without this CL.
Change-Id: Ie0215509f2f985f2a610f5a4c865db47edec8662
[ Merge of http://go/wvgerrit/22565 ]
When using the grace period, the CDM will need to override the values
given to use by the TEE (through OEMCrypto). Normally the first (and
last) decrypt times are stored securely by the TEE. To avoid extra
complexity in OEMCrypto, we will simply ignore the values given to us
by the TEE when using this feature.
However, the TEE will still enforce the (hard) license duration. So
only the rental/playback durations will be affected by malicious
editing of files.
b/34211676
Test: Reran unittests including newly added tests. All tests other than
some oemcrypto, request_license_test passed. Those tests failed with
or without this CL.
Change-Id: I6d7b5bfb669fd8603b474b68c2f7175b0c30901d
[ Merge of http://go/wvgerrit/22517 ]
b/34211676
Test: All unittests other than some oemcrypto, request_license_test
passed. Those tests failed with or without this CL.
Change-Id: I86a2ff041aae57ac46e9f9f7bac38ec4599a0fa7
[ Merge of http://go/wvgerrit/22516 ]
b/34211676
Test: All unittests other than some oemcrypto, request_license_test
passed. Those tests failed with or without this CL.
Change-Id: Ie973f468f9efd05bdafcf90164dae185a6ce11dc
This CL merges several CLs from the widevine repo:
http://go/wvgerrit/18012 Add support for querying allowed usage for key.
http://go/wvgerrit/17971 Add per-origin storage.
http://go/wvgerrit/18152 Add OEMCrypto's generic crypto operations to CDM.
http://go/wvgerrit/17911 QueryKeyControlInfo => QueryOemCryptoSessionId
Note: numbering in wv_cdm_types.h was added in this CL and will be
back ported to wvgerrit in a future CL.
Change-Id: Idb9e9a67e94f62f25dc16c5307f75a08b3430b64
[ Merge of https://go/wvgerrit/16940 ]
An alternate scenario to renewing keys is to load the same keys in
a separate session and make use of them by using the session sharing
feature.
Session sharing involves iterating through a map of sessions and
returning the first session that contains the Key ID. In certain cases
(license about to expire) we might prefer an alternate session
be chosen.
Licenses may expire in two ways. Policy engine, driven by a 1 second
timer may detect expiry and send an asynchronous event. OEMCrypto may
also detect expiry based on information in the key control block
and return an error during decryption. It is possible that these
may differ by upto a second. This can lead to issues where decryption
fails but EVENT_KEY_EXPIRED is not generated till later.
It is possible to address this by using information from both timers
to notify the app about expiry. To implement this correctly will
add complexity and require synchronization between threads. To avoid
this an alternate solution is, if session sharing is used, to pick
the session that has a license with the longest remaining validity.
b/27041140
Change-Id: I398cc4c10ee3a2f192d4a0befe7c8a469dd5bf86
[ Merge of http://go/wvgerrit/16625 and http://go/wvgerrit/16633 ]
Reduce the number of parameters needed by GenerateKeyRequest.
Combining all output values into a single struct.
BUG: 26162546
Change-Id: Ibeb3f4df4a8e877511f8ab2e6c543001a921f285
This is a merge of squashed CLs.
* Cdm Session and Engine interface clean up
[ Merge of http://go/wvgerrit/16387 ]
Key Set Ids have been removed from the CdmSession interface
(GenerateKeyRequest, Addkey) as they can be queried by an accessor.
The CdmEngine interface now allows one to specify or retrieve a session ID,
since both were not being used in a single call. Key set IDs are no longer
returned though GenerateKeyRequest as they was not being used.
* Generate key set ID when session is initialized
[ Merge of http://go/wvgerrit/16370 ]
Key set IDs are currently generated at different times in the
CdmSession lifecycle. Android generates key set IDs when the license
is received, while the CE CDM generates (or overrides them)
when the session is constructed.
The key set IDs are now generated when the session is initialized.
Key set generation cannot occur earlier as it has a dependency on
security level and in turn on crypto session initialization which
occurs when the session is initialized.
Depenencies on Session ID has caused other activities, construction of
PolicyEngine, CdmLicense, setting property CDM client sets to be
deferred from CdmSession constructor to Init().
Android will still retrieve the key set IDs after the offline license is
processed. For streaming requests, the key set will be
unreserved and discarded when the session is terminated.
Change-Id: Ib802d1c043742d62efa9a2c901fcd113e836c33d
[ Merge of http://go/wvgerrit/16241 and http://go/wvgerrit/16364 ]
This will allow a usage session to be loaded later by key set ID.
This is needed for EME-style secure stop in the new CE CDM API.
b/25816911
Change-Id: I916340047492fbc0556d0e90bd2eac0f3eafe597
* Fix strict aliasing error in gcc
[ Merge of http://go/wvgerrit/15856 ]
This also ensures the alignment of 64-bit memory access in a portable
way, without using compiler-specific mechanisms like attributes or
platform-specific mechanisms like memalign.
(The aliasing error does not show up in clang.)
* Return kNotSupported for non-Widevine init data
[ Merge of http://go/wvgerrit/15853 ]
This also improves logging for the init data parser by including a
verbose message for non-Widevine PSSHs and by using a new IsEOF()
method to avoid misleading "Unable to read atom size" logs.
* Cast RSA_size() to int
[ Merge of http://go/wvgerrit/15880 ]
It has been suggested that this may be unsigned on some versions of
OpenSSL or BoringSSL.
* Be strict about warnings for CE CDM
[ Merge of http://go/wvgerrit/15831 ]
* Enable all warnings and treat warnings as errors in the CE build.
* Fix all existing warnings (mostly unused variables, consts, and
functions, and one signed/unsigned comparison).
* Exclude protobuf warnings rather than maintain a divergent copy.
* Fix release build errors
[ Merge of http://go/wvgerrit/15855 ]
* Level 3 Build With Android Emulator
[ Merge of http://go/wvgerrit/15778 ]
This CL rebuilds the level 3 libraries with the android emulator
sdk_phone_*. This seems to avoid problems with the x86 build using
incorrect compiler flags.
These libraries work for arm, x86, mips, arm64, and x86_64. The level
3 library is disabled for mips64.
Versions:
level3/mips/libwvlevel3.a Level3 Library Sep 30 2015 18:29:50
level3/arm/libwvlevel3.a Level3 Library Sep 28 2015 13:18:25
level3/x86/libwvlevel3.a Level3 Library Sep 28 2015 13:08:28
Change-Id: I1e50aa78bdc84ecb905f2e55297d4f48b140341c
* Extend CdmLicense's stored_init_data_
[ Merge of http://go/wvgerrit/14661 ]
CdmLicense will store init data when a server cert must be
provisioned. After provisioning, the original init data can be used
to generate the originally-intended license request.
To do this before, the caller had to call CdmSession's
GenerateKeyRequest with an empty InitializationData object. However,
the init data's type still had to be set, as did the license type.
This CL allows the caller to use a truly empty InitializationData
without a type. To permit this, CdmLicense now stores a full
InitializationData object, rather than just a copy of it's data field.
With this CL, the caller also avoid storing the original license type.
To accomplish this, CdmSession uses the already-set is_offline_ and
is_release_ flags from the original call to reconstruct the intended
license type. The caller uses the new type kLicenseTypeDeferred.
To facilitate storing whole InitializationData objects, they are now
copyable.
This ultimately simplifies server cert code for the new CE CDM.
* Store service certs in Properties
[ Merge of http://go/wvgerrit/14664 ]
This allows CE devices to mimic the Chrome CDM's behavior of sharing
server certs between sessions.
This also affects Android behavior. Previously, provisioned service
certificates were per-session, while explicitly-set service certs
were per-DRM-plugin. Now, both are per-DRM-plugin.
A DRM plugin is associated with a mediaDrm object. Content
providers will still be able to retrieve and use different
certificates. The change here requires an app, that wishes to use
different provisioned service certificates will have to use
multiple mediaDrm objects. This is an unlikely scenario.
Change-Id: If2586932784ed046ecab72b5720ff30547e84b97
* Reject session clobbering.
[ Merge of http://go/wvgerrit/14634 ]
This fixes a bug in I17de92b3e682c9c731f755e69466bdae7f560393 in which
sessions can be clobbered by a forced session ID. This bug manifested
in subtle test failures which involved repeatedly creating sessions.
This was traced to OEMCrypto not being terminated, then upward to a
leaked CryptoSession and CdmSession, and then finally to clobbered
session IDs.
To avoid the bug in future, first, reject duplicate session IDs.
Second, change the OpenSession API to make forced IDs explicit.
* Fix unit test namespaces.
[ Merge of http://go/wvgerrit/14622 ]
This fixes some odd errors that occur when linking multiple test
suites into one executable. When two object files both contain
a definition of wvcdm::MockCryptoSession, for example, one will win
silently and cause the other's tests to misbehave and/or crash.
The solution is to put all mocks into an anonymous namespace, since
each wvcdm::(anonymous)::MockCryptoSession is separate.
In order to avoid lots of repetitions of wvcdm:: in the anonymous
namespaces, all anonymous namespaces in unit tests now live inside
or the wvcdm namespace. This has been done even for tests which
are not currently using mocks.
* Move timer and timer_unittest to Android.
[ Merge of http://go/wvgerrit/14619 ]
These are not used anywhere else.
Change-Id: I234f31e9b5c79061205728783596ebaff65e0aff
* Move Properties::Init into platform-specific code
This enables a refactor where property initialization for CE CDM will
use values provided by the application during library initialization.
[ Merge of http://go/wvgerrit/14510/ ]
* Add Properties::AlwaysUseKeySetIds().
When true, all sessions will have key set IDs and all session IDs
will be the same as the corresponding key set ID.
This will help the new CDM interface stick more closely to the EME
APIs, in which there are no such things as key set IDs and sessions
only have a single, random ID used for both streaming and offline.
[ Merge of http://go/wvgerrit/14521/ ]
* Reserve key set IDs in memory, rather than on the file system.
This makes it more efficient to use key set IDs for non-offline
sessions.
[ Merge of http://go/wvgerrit/14535/ ]
Change-Id: I765c3519619b17cc3c4ef95b1a6b125f479ee1d0
[ Merge of http://go/wvgerrit/14900 ]
When releasing a license, usage entries were being released twice with
both OEMCrypto_DeleteUsageEntry and OEMCrypto_ForceDeleteUsageEntry being
called. The second call would always fail because the usage information had
already been released. The CdmSession::DeleteLicense methods will now only
handles deletion of license metadata and leave deletion of usage entries to
the CdmLicense class.
b/22097805
Change-Id: Ic55764d5357043d136e7d88583f709a4ceea3e64
[ Merge from http://go/wvgerrit/14745 ]
License generation errors previously would result in code -2916 being returned
though the mediaDrm API. More descriptive error codes are now being returned
from -2850 to -2836
b/13976775
Change-Id: I613ad650ab0a072ce9d8029e2af52b72dc617236
Also fix a missing change for
"playback duration should override license duration".
Merged from Widevine CDM repo:
https://widevine-internal-review.googlesource.com/#/c/14435/
Bug: 21393975
Change-Id: Ibfcf3ae4c13db8944ea285bcc79b6312ea621e1b
[ Merge of go/wvgerrit/14240 ]
Client information is reported in release and renewal messages based on
flag in the license. License proto has been updated to match server updates.
There are two caveats
* Client IDs will be reported unencrypted when usage reports are requested.
* Release requests that enable privacy mode (encrypted client IDs) but do not
specify a service certificate are not supported.
b/19247020
Change-Id: I95e709922122370f310936fbad3d312262128e49
The errors in the range ERROR_DRM_VENDOR_MIN to ERROR_DRM_VENDOR_MAX are
reflected in the message that is reported to the app, which is
MediaDrmStateException.getDiagnosticInfo().
Many errors map to kErrorCDMGeneric, especially KEY_ERROR is used as a
generic error in CDM. This fix defines more specific error codes in the
CDM for places where KEY_ERROR is returned.
Merge from http://go/wvgerrit/14071
bug: 19244061
Change-Id: I688bf32828f997000fea041dd29567dde18ac677
This is a merge of several Widevine-side commits that, cumulatively,
allow callers to specify an origin to be used to isolate data storage
as specified in the W3C Encrypted Media Extension specification.
Separate origins have separate certificates, and consequently cannot
share device identifiers with each other.
The changes included in this are:
Add Ability to Check for Existing Certificates
http://go/wvgerrit/13974
Add Ability to Remove the Certificate
http://go/wvgerrit/13975
Make CDM Origin-Aware
http://go/wvgerrit/13977
Add Per-Origin Storage to Widevine CDM on Android
http://go/wvgerrit/14026
Remove Automatic Origin Generation
http://go/wvgerrit/14031
Bug: 19771858
Change-Id: I6a01c705d9b6b4887a9c7e6ff4399a125f781569
Also pass session_id and event_listener to PolicyEngine to make it easier
to dispatch events from PolicyEngine.
Bug: 19771437
Merged from Widevine CDM repo:
https://widevine-internal-review.googlesource.com/#/c/13816/
Change-Id: I5723cb371cb3c43c945051af3402b09069ba5859
(This is a merge of http://go/wvgerrit/13761 from the Widevine
repository.)
This cleans up our includes to be in Google Style Guide order and in
alphabetic order, for the parts of the code that are expected to
follow Google Style.
This also converts places in our code that were including C headers
in the C++ style (i.e. <cstring> instead of <string.h>) to use C style
instead. This is because, although it was not causing problems for us
yet, on Android these actually include different headers. (<cstring>
is provided by libcxx, while <string.h> is provided by Bionic)
Lastly, this change puts all headers that do not come from within our
project in <brackets> instead of "quotes," which was not being done
consistently.
This change is explicitly NOT trying to standardize the spacing of our
header includes. I have tried to respect, in each file, the spacing
style already present.
Change-Id: If3dc06532ab9b68010285d64518ef21dce3d6354
This is a merge of http://go/wvgerrit/13693 in the Widevine
repository.
This adds level 3 and mock implementation and unit tests for the
OEMCrypto function OEMCrypto_ForceDeleteUsageEntry. It also plumbs
this function up into CdmEngine, CdmSession, and CryptoSession so that
deleting all usage information for a given app id will now delete the
entries in OEMCrypto, too.
b/18194071
Change-Id: Iaea4034a507b323878657215784edfe95876386a
This is a cherry pick of http://go/wvgerrit/13665
Added a few static casts and removed some unused parameters.
Change-Id: I4f2d1c26580a188de429defc8d1d22757f4c6917
Back when we were being proactive about merging LMP changes to master
in the Widevine repository, there were a few changes that got merged
in a different form than what got checked into the Android repository.
Mostly, this happened due to several large core changes that were
brought over to the master branch in multiple parts so as not to break
other teams using the Widevine repository. This patch brings the two
trees in sync.
Change-Id: I4e56a742686d73d1c6ace209684ce0e8542fd93f
This merges several small changes that were made in response to
comments that arose when LMP changes were merged into the Widevine
repository's master branch.
Change-Id: Ifec968af54dbc3288f24654ec0c6ca9b5962e1aa
This copies over formatting changes from the Widevine CDM repository
that resulted from running clang-format with Google style on the
shared core/ directory. It also copies over some rewordings of log
messages that were made at the same time.
Aside from the changed log messages, this should not affect behavior
or functionality.
Change-Id: I69c57c188f7a79f30fa3517afeed17365929b6b6
(This is a merge of http://go/wvgerrit/11285 from the Widevine CDM
repository.)
The key set ID is now available earlier, in order to support the CE
CDM 4.5 interface, which needs it at key request generation time, not
later at key response receipt time. It is still possible to receive
the key set ID at key response time, for Android's purposes. Either
API may now be passed a pointer to store the ID in, which may also be
left NULL if this is not needed.
Change-Id: I47e80ea4005c80282e36cfae92cb91142208f624
(This is a merge of http://go/wvgerrit/10674 from the Widevine CDM
repository.)
Now that the CE CDM has CloseSession to handle closing sessions, we
can rename CancelKeyRequest on the CDM Engine & CDM Session to better
resemble its purpose and the name it is known by on Android.
Change-Id: I68d55b3be733579e5875ab33d8e94a62fe1f651d
Netflix reported that after pulling power while their app is active,
the app isn't able to restart. This is because the license file for
session keys isn't getting synched to disk, so the data is still in
the buffer cache when the device shuts down. Calling fflush and fsync
on the file ensures the data is persisted to disk. fclose alone
doesn't do fsync.
In testing, I also noticed that the license file was being rewritten
every second which is hard on the flash filesystem. The timer thread
was modified to avoid these frequent writes.
Merge of https://widevine-internal-review.googlesource.com/#/c/12431/
from the widevine cdm repo.
bug: 19108207
Change-Id: Ibe81e40a3c1f5d25563523da43fefdccdaa6ddcf
Our recommendation to OEMs is that they support a table of at least 50
usage entries in OEMCrypto. If more usage entries are stored, the PSTs get
added to the CDM but are LRU'ed out of the OEMCrypto usage table. When the
CDM queries those usage entries, OEMCrypto will return a
OEMCrypto_ERROR_INVALID_CONTEXT. Rather than return an error and have
MediaDrm throw an exception, CDM should delete this PST and return the
next usage entry, when queried.
[ Merge of https://widevine-internal-review.googlesource.com/#/c/11457/
from Widevine cdm repo ]
b/17994711
Change-Id: I00e3f93000096fb434d94333e22958de795a4bb5
