[ Merge of http://go/wvgerrit/128325 ]
There were a few cases where |cdm_by_session_id_| was being iterated
over and the CDM did not acquire any write-protection locks to prevent
other threads from changing the map simultaneously.
In particular, it was possible that while cleaning up a CDM, and
removing all the associated session in |cdm_by_session_id_| another
CDM could have been opening a session and creating a new association
in |cdm_by_session_id_| at the same time.
Cases where |cdms_| and/or |cdm_by_session_id_| is being written to or
iteratively read from should require a lock. The iterator of
std::map maintains a "view" into the map's tree structure. Modifying
the map (inserting or deleting elements) can potentially change the
structure of the map and the underlying assumptions built into an
iterator's view (ex, the iterator thinking there is an element to the
left or right).
Modifying the value within the map can potentially cause problems, but
is not applicable in our case (we modify the object pointed to by the
map element, but not the pointer itself).
Bug: 190405462
Test: build_and_run_all_unit_tests.sh and MediaDrmTest
Change-Id: I043e238570dac9a0db990f8fe66be271062b965c
[ Merge of http://go/wvgerrit/128163 ]
In android S, we added a feature b/169740403 [Limited lifespan DRM
certificates with license preservation]
Due to uncertainties of when the provisioning service will
launch, we are disabling expiration for legacy DRM certificates.
If the feature does not launch in time, existing DRM certificates
will expire and be replaced. Offline licenses associated with these
expired DRM certificates will fail to load.
Expiration of legacy certificates will be reenabled at a later time.
The main portion of feature, the issuing of new DRM certificates with
expiration time will still be supported.
Bug: 192428783
Bug: 169740403
Test: WV unit/integration tests
Change-Id: I1d1184249848f215953a837f369528d3b74c9618
Merge from Widevine repo of http://go/wvgerrit/127524
Some unit tests used the response buffer size before the size had been
computed. This CL updates the tests.
Bug: 183440999
Bug: 184866351
Test: Ran unit tests on Prov 3.0 device.
Change-Id: I0b23dc7b0dafa9b9eab3cdbd7f29074898e4709b
[ Merge of http://go/wvgerrit/128183 ]
As was the case with WvCdmStreamingUsageReportTest.ReportTest, the
following tests were also updated to handle the case where "license
duration" is unlimited:
- WvCdmStreamingNoPstTest.UsageTest
- WvCdmStreamingPstTest.UsageTest
- WvCdmOfflineUsageReportTest.UsageTest
This is due to the new license duration model used for V16 licenses.
Bug: 163542905
Test: cdm_extended_duration_test
Change-Id: I24d3fc17fcf19129a19ed39a5c6c1ddd59ed073d
[ Merge of http://go/wvgerrit/128143 ]
Now reports LICENSE_STATE_ERROR rather than ERROR_DRM_GENERIC_PLUGIN
to make the cause of failure and suggested action more clear for app
developers. Also added an additional error log.
Bug: 190645000
Test: WV unit/integration tests
Change-Id: Ib23ca628c590316f90f497d8fdfbab24fd644d6f
Merge from Widevine repo of http://go/wvgerrit/128047
There have been some failures with various RSA private keys. We add
them to the unit tests to make sure that OEMCrypto is able to load
these types of keys:
* Shorter: than normal private exponents. This seems to occur
occasionally even with Euler totients. But it occurs more with
Carmichael totients.
* 0-leading-byte: private exponents. This also occurs naturally for
both Euler and Carmichael totients.
* Carmichael: vs Euler totients. I think we may already have tests for
this. But just in case.
Bug: 190450051
Test: ran unit tests on bonito (and they passed!)
Change-Id: Id64ec738479eb8a0f77e253bace319cebe918d3f
Merge from Widevine repo of http://go/wvgerrit/127743
There was some confusion about who owned the OEMCrypto security level
string in a multithreaded environment. This is solved by caching the
security level at initialization time.
Bug: 188706160
Test: ran unit tests on bonito
Change-Id: I93af3bb2e5a8bf190627ee568f752b5ea9543306
[ Merge of http://go/wvgerrit/128046 ]
Test case WvCdmStreamingUsageReportTest.WvCdmStreamingUsageReportTest
was failing comparing "license duration" values returned when querying
for key information for licenses with unlimited "rental duration".
This is due to the new license duration model used for V16 licenses.
From the Widevine MediaDrm doc for "LicenseDurationRemaining":
For OEMCrypto v16+ (Android 11 and later), license duration is no
longer being enforced. If rental duration is set to never expire,
”9223372036854775807” (LLONG_MAX) will be returned.
Similarly, the test has been updated for "playback duration" queries
of the same case.
Bug: 163542905
Test: cdm_extended_duration_test
Change-Id: I57e0e435631a151fac45c963d865de256a773644
This is a merge from the Widevine repo of
http://go/wvgerrit/117311
Update backwards compatibility builds
http://go/wvgerrit/117423
Restrict maximum size of key id
To protect from out-of-memory found by fuzz testing.
http://go/wvgerrit/117683
Generation number should wrap
The master generation number should wrap around on overflow. This
means that we cannot use less than to check for a skew of 1.
http://go/wvgerrit/119232
Replace 0 with nullptr
Bug: 176234903
Bug: 184866351
Bug: 161243686
Test: ran unit tests (CL affects test code only)
Merged-In: Ie787bcf9c66a7605700c3dc29a8aa16406926ce3
Change-Id: I2b02a36a70a0920f31ffc00de102a23516d4b20e
This is a merge of http://go/wvgerrit/126703
Only obfuscated libraries for Android are included in this CL.
L3 loads clock info from an encrypted file during initialization. There
is a bug which calls the clock loading function before the decryption
key gets intialized in InitializeEngine(). Clock will be loaded with bad
decrypted data, which caused playback failure after system reboot.
The fix is to move clock loading after InitializeEngine() to ensure
decryption key is ready.
Bug: 188873354
Bug: 188892717
Test: L3 unit tests;
Test: Manual playback tests on Netflix
Download, play, reboot device, play again
Test: GTS tests https://android-build.googleplex.com/builds/tests/view?invocationId=I02800009363823424&testResultId=TR23225132004211909&redirect=http://sponge2/73efa8e8-951a-48bb-b2a9-0b09d5038ed3
Change-Id: Icf34aa3135fdcb77dea8104a90ce90f14e79e61c
Merge from Widevine repo of http://go/wvgerrit/127246
The unit tests WvGenericCryptoTest expected an error code to be
returned from SelectKey. But we allow an invalid key to be signaled
either at SelectKey or later when the decrypt operation occurs.
This CL just updates the tests.
Bug: 190745519
Test: ran tests on bonito
Change-Id: Ibacc92d6a6e708f2f104cb549b5845335f6c8cf5
[ Merge of http://go/wvgerrit/126463 ]
The Version Number in the test is being updated to 12 to reflect
android OS version (Test only change)
Bug: 190467766
Test: WV request_license_test:
requestVersionNumberTest.VersionNumberChangeCanary
Change-Id: Iad4bb3f178fb2dcb454027c1323e51fe34dfdfff
[ Merge of http://go/wvgerrit/126744 ]
* EngineMetrics previous_oemcrypto_initialization_failure is set only
on a previous failure. Removing it from the list of expectations
as we cannot be certain that it will or will not be set unless we
know the previous state of the device.
* Corrected client_capabililties expectations in
CdmLicenseTest.PrepareKeyRequestValidation
* Correct error expected in
- WVDrmPluginTest.RejectsAtscProvisioningRequests
- WVDrmPluginTest.RejectsAtscUnprovisionDeviceRequests
* Correct expectations
- CdmSessionTest.InitWithBuiltInCertificate,
- CdmSessionTest.InitWithCertificate
- CdmSessionTest.ReInitFail,
- CdmSessionTest.InitFailCryptoError
Bug: 181693982
Test: WV unit/integration tests
Change-Id: I2f1e1c38604d768e0532b30d8551c77ea45e63f4
[ Merge of http://go/wvgerrit/126063 ]
As a side-effect of fixing b/161865160 CDM checks to flag reloading
of an offline license were removed. This left it to the OEMCrypto
which varied by device implementation. Checks are being reintroduced
to the CDM and will help MediaDrm return the expected error
ERROR_LICENSE_STATE.
In addition restoring an offline liense to a session where a license
is already loaded will be rejected.
Bug: 184608310
Bug: 182208685
Test: WV unit/integration tests
MediaDrmTest.testMultipleLoadKeys
Change-Id: Id8ee069d22819f7823aa6af11a41f35f0a04ce0a
Merge from Widevine repo of http://go/wvgerrit/125046
Add some extra fudge to the termination time. This assumes that flaky
tests were caused by roundoff error.
Bug: 175741647
Change-Id: I9bcc86f9b9540e5985df647dd1b5c5d439556e2b
[ Merge of http://go/wvgerrit/124004 ]
When the CDM creates a new usage entry for an offline or streaming
license, the new entry is immediately moved to the lowest available
entry index that has been marked as vacant (kStorageTypeUnknown).
When a license is released, its meta data that is managed by the CDM
is cleared; however, the usage entry's index is marked vacant, but it
is not released. This creates wasted entry space in the usage table.
Unfortunately, defragging the table is computationally expensive and
may not be able to actually free up much space depending on when it
is performed.
For a typical user, this will likely not be an issue as the table
can get quite large compared to the number of licenses an app uses
and the table is partially cleaned on each boot.
GTS tests, however, have reached a point where they fill the usage
table before all tests are complete. This is causing many unexpected
failures for devices. Most of these tests release their license, but
the CDM never reaches a state where it can clean up the table.
By moving newly created entries to the lowest available index directly
after creating the entries, the table never needs to grow unless all
entries are in use. Clean up is now almost never required.
Bug: 180639135
Bug: 180638990
Bug: 180638530
Test: MediaDrmTest#testWidevineApi28
Change-Id: I1a68d90d51384094298b27037778747ce7435374
Merge of these CLs from Widevine sc-dev:
modified: libwvdrmengine/level3/include/clear_cache_function.h
Add cache flush assembly for arm64 L3 to Android header | http://go/wvgerrit/124828
Address compilation errors | http://go/wvgerrit/113083
modified: libwvdrmengine/level3/include/level3_file_system_android.h
Update Widevine Copyright header for android | http://go/wvgerrit/108084
Bug: 184866351
Test: Header changes for clearing cache is verified by one of the partners on their arm64 target;
https: //b.corp.google.com/issues/175432203#comment13
Change-Id: I0ac8f339f65d02abb3080020fbc715b9c0db85b2
[ Merge of http://go/wvgerrit/122984 ]
There was an issue encountered by some vendors with how the usage
table was initialized on some devices. Previously, the CDM would
open an OEMCrypto session first, then initialize the usage table
(loading existing or creating a new one). On these devices,
OEMCrypto_CreateUsageTableHeader() and OEMCrypto_LoadUsageTableHeader()
would fail if there were any open sessions.
This CL changes the initialization process to create/load the usage
table before opening an OEMCrypto session.
This change also lays the ground work for another usage table fix
to address GTS tests failure.
In the process, several of the functions for the usage table have been
split up into smaller chunks of code. This required additional changes
to the usage table unittest to keep them up to date.
Bug: 169195093
Bug: 180639135
Test: Linux unittests and MediaDrmTest
Change-Id: Ifbf35f5d8cff5b89fea9b16edb998c84803f4fbe
build
This is a merge of CL from widevine repo (obfuscated code only):
https://widevine-internal-review.googlesource.com/c/cdm/+/124965
The source code change that produced the obfucated code is here:
https://widevine-internal-review.googlesource.com/c/cdm/+/121763
Original commit message from the fix above:
"This is a security improvement against an L3 exploit b/182584472.
The change is to store RSA private key in two parts instead of one,
and load it separately when the key is needed. This will make it
more difficult to find the entire RSA key.
This CL does the key loading part only. Key splitting is done
in Haystack in CL: cl/367515385"
New L3 system IDs included in the obfuscated code:
ID Description
22593 Android S ARM L3 Field Provisioning 3.0
22594 Android S ARM 64 L3 Field Provisioning 3.0
22595 Android S x86 L3 Field Provisioning 3.0
22596 Android S x86 64 L3 Field Provisioning 3.0
Bug: 182584472
Test: L3 unit tests
Test: GTS tests
https://android-build.googleplex.com/builds/forrest/run/L16300000887061939
The only failed case is a test issue due to the new IDs not being added
to the allow list of the test yet. This test passed on local run with
the updated allow list.
Change-Id: If8b8b2cb9291ede0cb2dcc892f5557c3a68c4b96
(This change is merged from http://go/wvgerrit/124825)
The OEMCrypto tests have tests that verify that entitled keys can be
loaded but not that they can be successfully used for decrypt. This
patch adds a decrypt portion to the existing tests.
As part of this, the existing Session::EncryptCTR() method and portions
of Session::TestDecryptCTR() are lifted to be static functions so they
can be shared across unrelated classes in oec_session_util.cpp.
EncryptCTR() had no dependence on its enclosing class and is unchanged
other than being moved outside the class.
To reduce ambiguity with the new decrypt verification, this patch also
renames EntitledMessage::VerifyEntitlementTestKeys() to the
more-specific EntitledMessage::VerifyKCBs(). Its behavior is unchanged.
Bug: 186782279
Test: x86-64 platform
Test: opk_ta platform
Test: build_and_run_all_unit_tests
Change-Id: I15156882907b0987215087aaf43b4666fedc171a
(This change is merged from http://go/wvgerrit/124824)
GenerateSimpleSampleDescription() only had asserts to check parameters
that only came from other test code, so they weren't testing anything of
use. With the asserts removed, it's no longer necessary to wrap calls to
GenerateSimpleSampleDescription() with ASSERT_NO_FATAL_FAILURE(), which
a lot of callers were already forgetting to do anyway. This also
simplifies a future patch that will generalize the decryption test code
to work with entitlement licenses.
Bug: 186782279
Test: x86-64 platform
Test: build_and_run_all_unit_tests
Change-Id: I987427fdfee4826d77ab95344f9aca8c374b2001
Merge from Widevine repo of http://go/wvgerrit/123803
Update fuzz build script to use gyp from third_party folder.
Test: ran fuzz tests on luci
bug: 186271314
bug: 184866351
Change-Id: If530872aa1e60d2108932610415aa5315979390c
