[ Merge of http://go/wvgerrit/108904 ]
Client ID name-value fields in the license request share the same
namespace with app parameters and WV standard device information. As
a result, it was possible for applications to provide parameters that
could potentially fool the license server with spoof values.
This CL restricts the use of the fields that are common across both the
Android CDM and CE CDM. Currently, Android specific fields are
restricted by the MediaDrmPlugin layer, and there are no CE CDM
specific fields currently defined.
The non-HIDL DRM plugin does not restrict these fields; however, it
will be removed in S.
Bug: 171723566
Test: Android integration test
Change-Id: I5ad9ead73c5aff712dff8133953de5ddc3296452
[ Merge of http://go/wvgerrit/110603 ]
Qualcomm SoC may report 10085 (RSASSA-PSS signature error) when
OEMCrypto_PrepareAndSignLicenseRequest is called. The app needs to
reprovision (or the user needs to factory reset their device) in order
to recover.
If the 10085 error is returned, the app currently will get a
MediaDrmStateException. The app has no way to be able to tell
whether this is due to the 10085 error or some other error.
This change returns a NEED_PROVISIONING error at the CDM level, which
will result in the app receiving a NotProvisionedException when
MediaDrm.getKeyRequest is called.
Bug: 174375589
Test: WV unit/integration tests
Change-Id: I4f2884c8a5fd88ab2e9bfbc0731a20e58cec0f36
[ Merge of http://go/wvgerrit/110165 ]
The conditional compilation for flagging the CDM and ODKiTEE logging
functions as printf-like was guarded by a check on "__gnuc__" or
"__clang__". However, GCC doesn't actually define "__gnuc__", it
defines "__GNUC__", all caps. Fixing this causes GCC to find a slew
of format-string errors that Clang was accepting. This patch fixes the
capitalization and the uncovered errors, most of which fall into one of
a few categories:
1) The format string and variable had different signedness. For these,
the format strings are updated to match the variables.
2) The variable was an array index that was not of size_t. For these,
the variables have been updated to be size_t and the format strings
have been updated to use %zu. A few index variables that weren't
actually used in format strings are also fixed to be size_t.
3) The code assumed the signedness of the internal representation of an
integer literal, enum constant, or enum variable. For these, I either
cast the input to a known type so that the format string is valid
regardless of internal representation or I switched to a hexadecimal
format string. The latter case is more useful on ODKiTEE enums where
the literal value is in the code as a 32-bit hexadecimal value
anyway.
This patch also adds missing integer casts to the enum literals in the
ODKiTEE logging header. (These are required for pedantic C99
compatibility when using literal values that do not fit into a 16-bit
integer.)
Bug: 173460694
Test: jenkins/odkitee_ta
Test: build.py x86-64
Change-Id: I244972639a5a6ea0de157eb67e1e0dfa9787ec32
Merging CL:
* http://go/wvgerrit/108203
* http://go/wvgerrit/103904 (changes to L3 source files excluded)
Also added ODK dependency which is required by L3 v16.
Do not replace constant sizeof() with a hard-coded value in L3 library because it is target-specific.
Test: Unit tests on gLinux
jenkins/linux_unit_tests
jenkins/ce_cdm_tests
Test: Unit tests on Pixel 4(flame-userdebug, rvc-qpr-dev)
vendor/widevine/libwvdrmengine/build_and_run_all_unit_tests.sh
Test: Manual ExoPlayer L1/L3 playback tests (flame-userdebug)
WV: Secure HD/SD (cenc,MP4,H264)
WV: Secure HD/SD (cbc1,MP4,H264)
WV: Secure HD/SD (cbcs,MP4,H264)
Test: Widevine GTS tests(bramble-userdebug, master)
http://ab/I23800006571451275
Bug: 136317881
Bug: 139814713
Bug: 173331251
Change-Id: I1656e83a74a0eaf650f55f5e2388819bf5020c0d
[ Merge of http://go/wvgerrit/108143 ]
The CDM property string and MediaDrm property string for the usage
table capacity did not follow the same pattern used for matching all
other property strings. This changes the CDM's version of the string
to match the MediaDRM version. The property string mapper will
automatically be updated when the CDM is updated on Android.
The change in property string was tested on Android R using the
license request integration test.
Bug: 164493147
Test: Android integration test
Change-Id: I84d2e55a192b79738559cc6f71e54f3b1cd964fd
Merge of http://go/wvgerrit/106823
Previously, we worked around a problem by signing a fake license
request when a license did not have a usage entry. However, this was
inside a conditional that the device did support usage tables. This CL
moves that code outside the conditional so that a fake license is
signed whenever the license does not have an entry.
Bug: 169591716
Test: unit and integration tests
Change-Id: Ic4d1a91af63503722b088a136c0a8dca9746a962
Merge of http://go/wvgerrit/105063
When running the local license server, the license does not contain a
URL for the renewal, or it is mangled. We only need to run this test
if we are running against UAT or UAT Nightly.
Bug: only found when debugging
Test: Ran tests with local license server
Change-Id: Ic84fcf9033b945a176119639a21104e4d42258a9
Replace Makefile with Android.bp.
Remove duplication of protos in proto directory.
Since we are now building the metrics_dump tool
under Android, use frameworks metrics.proto
directly. Also, reference cdm's wv_metrics.proto
from the cdm directory instead of creating a
subset in proto directory.
bug: 161783052
bug: 170607430
Test: build
m -j128 metrics_dump
Test: metrics_dump [bugreport from adt-3-r.zip]
Test: metrics_dump [bugreport from sabrina-q.gz]
Test: metrics_dump --widevine [adb shell dumpsys media.metrics output]
Change-Id: I82c7e723453ac2a6335cb2bb732a376d535b9ea3
Cherry pick from http://go/wvgerrit/102986, rvc-dev branch of
http://go/wvgerrit/105825, rvc-widevine-release of http://go/ag/12561661
This CL adds several integration tests that match the duration use
cases. The test classes are designed for the core cdm, but the test
cases match those found in oemcrypto/odk/test/odk_timer_test.cpp.
See this document for a list of use cases:
libwvdrmengine/docs/License_Duration_and_Renewal.pdf
Test: Ran the tests against v16 OEMCrypto. Some fail against v15.
Bug: 161463952
Change-Id: I7cd424ae241d3897fbd06956e87dd9da0752cb6d
Cherry-pick from branch rvc-dev of http://go/wvgerrit/105824 and
rvc-widevine-release http://go/ag/12561660
This adds two policy integration tests to verify that we are handling offline
licenses correctly.
Bug: 161023174
Bug: 129301787
Test: WV unit/integration tests
Change-Id: I20f5d6a9fbfd2ff8cff361e1005e45b46c700704
[ Merge of http://go/wvgerrit/104584 ]
This corrects failures in
* WVDrmPluginTest.ReturnsL3SpoidsWhenL3ProvisionedUsingL3Spoid
* WVDrmPluginTest.ReturnsL3SpoidsWhenL3Unprovisioned
* WVDrmPluginTest.ReturnsL1SpoidsWhenL3ProvisionedUsingL1Spoid
and a warning in
* PolicyEngineTest.PlaybackOk_RentalAndLicense0_WithPlaybackBeforeLicense_V15
Bug: 163542905
Test: WVDrmPluginTest and PolicyEngineTest
Change-Id: I3e7799175b7b289fafd2caf88bd5df4123b88973
(This is a merge of the parts of http://go/wvgerrit/105985 that affect
Android.)
This patch fixes some files that, after recent changes, were no longer
building when using OpenSSL instead of BoringSSL. <memory> was missing
in a header, and a function whose return type is different on OpenSSL
was tripping up the format-string warnings.
Bug: 168553979
Test: jenkins/ce_cdm_tests
Test: Android CDM Build
Change-Id: Id6a33d0ce0d3cbe5fe33b3f22aa3ee6b03ac76dd
[ Merge of http://go/wvgerrit/106203 ]
CdmSigningAlgorithm are converted into OEMCrypto_Algorithm enums
before being passed as parameters to OEMCrypto generic crypto functions.
The OEMCrypto_Algorithm variables should never be set to values not
specified in the enum declaration.
These private methods have also been moved to the anonymous namespace.
Bug: 168774486
Test: WV unit/integration tests
Change-Id: Ie570a3cf4447b6c133076baa0909d562824c8e4a
[ Merge of http://go/wvgerrit/108103 ]
The Widevine License Agreement has been renamed to use inclusive
language. This covers files in the cdm, linux, platform, util directory
in addition to some other files.
Bug: 168562298
Test: verified compilation (comment only change)
Change-Id: I9a4977fd4c2ad951769b6be84263f81bd0f22678
[ Merge of http://go/wvgerrit/108064 ]
The Widevine License Agreement has been renamed to use inclusive
language. This covers files in the core directory.
Bug: 168562298
Test: verified compilation (comment only change)
Change-Id: I8ae5a10cbfdf7faae6a2735e57b33729763f10b8
[ Merge of http://go/wvgerrit/108084 ]
The Widevine License Agreement has been renamed to use inclusive
language. This covers files in the android directory.
Bug: 168562298
Test: verified compilation (comment only change)
Change-Id: I0f9e6445e0168ebe85425baeb81371e182e5a39c
[ Merge of http://go/wvgerrit/107763 ]
This CL enables the ability to query the CDM for the analog output
capabilites of the device. Due to the number of possibilities that
OEMCrypto can report, two queries are exposed:
- Output capabilities: None, Supported, CGMS-C, Unknown
- Can disable: True, False, Unknown
Bug: 168322023
Test: Android integration test
Change-Id: I8036a89237d698f170d2c1901c41d1d6b708c917
(This is a merge of http://go/wvgerrit/107263.)
The CryptoSessionMetricsTest suite assumed that GetOEMPublicCertificate
would only be called once, but in practice, it may be called twice,
since the first call can return OEMCrypto_ERROR_SHORT_BUFFER. This patch
updates the tests to accept 1 or 2 calls.
This patch also updates a few EXPECTs on vector lengths that should have
been ASSERTs, to avoid problems when later accessing the vector.
Bug: 169111969
Test: jenkins/ce_cdm_tests
Test: build_and_run_all_unit_tests.sh
Change-Id: I9432dd2694c7181ab57ed55f66ff6c8be0c867f9
(This is a merge of http://go/wvgerrit/107243.)
This code is based on a bug report and patch from Sony.
The TimeRollbackPrevention test was failing when run with CE CDM and the
OEC Ref, although it passed in some other configurations. The cause was
twofold:
1) The test sleep code was not accounting for rollback when calculating
the clock drift, causing incorrect time values to elapse.
2) Fixing the previous exposed a bug in the CE CDM test host where it
did not handle negative time passing correctly.
This patch expands Sony's fix with additional comments and some code
cleanup to try to make the code clearer and more robust against future
errors, particularly in the error-prone TestHost code.
Bug: 169942369
Test: jenkins/ce_cdm_tests
Test: build_and_run_all_unit_tests.sh
Test: x86-64, all CE CDM unit tests
Change-Id: Id52b8c38255f70b04bc2735c4e309fb90992f53e
[ Merge of http://go/wvgerrit/106325 and http://go/ag/12644840 ]
When offline licenses are restored, licenses and any renewals are processed.
License state evaluation occurs and notifications are sent to listeners.
If the license is expired, which is likely if a renewal is present,
the license state will transition to expired. Transitions out of
expired state are not allowed and the renewal has no effect.
If we work around this by allowing transitions out of expired state,
listeners will get notifications that keys have expired and then that are
usable soon after. To avoid delivering erroneous notifications we delay
evaluation of license state while the license and renewal are being processed.
Evaluation occurs at the last stage of license restoration when playback
information from the usage table is being restored.
This only need to occur for when licenses are being restored. In other
cases when a license or renewal is received, license state evaluation
and event listener notification needs to occur immediately.
Bug: 166131956
Test: WV unit/integration tests, GtsMediaTestCases tests
Change-Id: Ic8ade25316c5e20cc88de9225c43c24b28f21ac4
Merge from Widevine repo of http://go/wvgerrit/105347
When reloading an offline license that has an offline renewal, we sign
a unused renewal so that the ODK library can update its clock values.
Test: WV unit/integration tests, GtsMediaTestCases tests
Bug: 166131956
Change-Id: Ib1445fd85222489f21221e00729d4989cb49a331
[ Merge of http://go/wvgerrit/105743 ]
Device ID is no longer reported directly in provisioning/license
request or used by ClientIdentification. It does not need to be passed
in during initialization.
Bug: 168085721
Test: WV unit/integration tests
Change-Id: I483eac963c3f40784e42e1a2b917fcc96aa76a05
This is a cherry pick of recent changes to OEMCrypto and ODK. Most of
these are part of the document migration to doxygen.
See http://go/wvgerrit/106005 and its parents for code reviews.
Bug: 144715340
Bug: 148232693
Bug: 167580674
Change-Id: I658f99c8117b974faed97322d61fac0f382283af
Merge from http://go/wvgerrit/105767
To avoid conflict with metrics.proto in
frameworks/av/drm/libmediadrm/proto.
This is in preparation of moving metrics_dump tool
to build under Android.
bug: 161783052
Test: unit test
Test: Play Movies & Tv and Netflix streaming
Change-Id: I2406b66db4d61cca7c6260ea8847a555d96c8d42
[ Merge of http://go/wvgerrit/105025 ]
Clang and GCC allow for warnings against the arguments for printf-like
functions (e.i. LOGx). These validate that the format type specified
in the format string match the corresponding argument type.
Most of the time, format specifer errors are benign; hence why they
haven't been seen as an error so far. However, with the enabling of
specifier warnings and the enabling of warnings as errors on certain
platforms, these existing errors need to be addressed.
This CL enables format specifier warnings for most of the Widevine
code, with the OEMCrypto L3 implementation which has a single error
which requires a fix in the haystack code before being fixed in the
Widevine branch.
Strict format string warnings are not enabled for non-LP64 systems.
Bug: 137583127
Test: Compiled for Linux and Android
Change-Id: I051398332d31a20457b86563a90ad8f6d428445f
[ Merge of http://go/wvgerrit/105624 ]
Temporary licenses do not allow for license information to be stored
in any form, whether it is usage information or persisting license
information. Information should not be stored even if can_persist is
set to true and a PST is specified as those are suggestions rather than
a requirement.
Bug: 167684104
Test: WV unit/integration tests
Change-Id: I141a2bd5de4d86f0e5f31fc8f0ea9e20710d6469
[ Merge of http://go/wvgerrit/105343 ]
If a device only supports local display (eliminating the need for an
SRM version), then the CDM should treat this as no SRM version.
Bug: 166009716
Test: License request integration test
Change-Id: I2d9c3f98735563df6d7c7a287abab41bf0a8c513
This CL builds the Widevine drm services and libraries.
Soong makefile conversion for unit and integration
tests will be in a different CL.
This doc may help with the review:
https://docs.google.com/document/d/1lK3X9RFPwbbwewLNlS4TfSMhxIlPuAkHRnGcgwWpChU/edit?usp=sharing
Test: build
Test: Play Movies and Netflix streaming
Test: unit tests
build_and_run_all_tests.sh
Test: gts
ANDROID_BUILD_TOP= ./android-gts/tools/gts-tradefed run gts -m GtsMediaTestCases -t com.google.android.media.gts.MediaDrmTest
atest GtsExoPlayerTestCases:com.google.android.exoplayer.gts.DashTest
Test: vts
ANDROID_BUILD_TOP= PATH="$PWD/android-vts/tools:$PATH" vts-tradefed run commandAndExit vts --module VtsHalDrmV1_3Target
Bug: 162321744
Change-Id: I50c0fb2e8f28dfe7901587e3d3203542943e23b1
Merge from Widevine repo of http://go/wvgerrit/102843
The test WvCdmEngineTest.LicenseRenewal is split into two tests. One
test verifies that the renewal may be fetched from the server
specified in the license. The second test verifies that the renewal
may be fetched from the same server that the license was fetched from.
These might be the same server, but when we run against an
experimental server, a staging server, or UAT Nightly, these
will be different.
Test: ran the tests
Bug: 141438127
Change-Id: Ia11441bd2ba0c6ddb264ee38bfcb5060b9ddb476
(This is a cherry-pick of http://go/wvgerrit/104184.)
UBSan has detected several places where our code tripped over what is
technically Undefined Behavior when handling enums, although in practice
any compiler would still generate safe code.
Some of these were places a variable was not being initialized and thus
was filled with garbage data. These have been fixed.
Understanding the rest depends on a bit of C++ trivia I had certainly
never heard before: An enum that doesn't specify its backing type will
frequently have a gap between the range of values the compiler will let
it take (which is limited only by the size of the backing type assigned
by the C++ standard) and the range of values for which the C++ standard
defines the behavior. (which is limited by the minimum number of bits
needed to hold the largest valid enumeration entry) So, for example, an
enum containing ten entries numbered 0 through 9 would be stored in
memory as an int and could thus take any value in the range of an int.
But it only takes 4 bits to represent the numbers 0 through 9. The
largest number that can be represented in 4 bits is 15. So reading the
value of a variable of this enum type when its stored value is outside
the range 0 to 15 is undefined behavior.
An enum that specifies its backing type is not subject to this because
it is defined behavior to access any value representable in the backing
type if one was explicitly specified.
If you think this sounds a bit silly, you'll be happy to know it doesn't
apply from C++17 onwards and most compilers generate code that handles
the undefined behavior values correctly.
Nonetheless, to appease UBSan and protect us from any compilers that
actually rely on this undefined behavior for optimizations, I have
defined backing types for all our enums. I have defaulted to the type
the compiler was already using (int32) and have deviated only where an
enum exists to be compared to or filled from a protobuf field and that
field in the protobuf is unsigned, in which case I used a uint32.
In the case of the CE CDM exported API, this also required changing our
enums from C-style to C++-style.
Bug: 163080356
Test: CE CDM Build & Unit Tests Pass even with UBSan
Test: Android Build & Tests
Change-Id: Id7e0064129e7c4d2827bb4a94825d144eeaacec8
