[ Merge of http://go/wvgerrit/106325 and http://go/ag/12644840 ]
When offline licenses are restored, licenses and any renewals are processed.
License state evaluation occurs and notifications are sent to listeners.
If the license is expired, which is likely if a renewal is present,
the license state will transition to expired. Transitions out of
expired state are not allowed and the renewal has no effect.
If we work around this by allowing transitions out of expired state,
listeners will get notifications that keys have expired and then that are
usable soon after. To avoid delivering erroneous notifications we delay
evaluation of license state while the license and renewal are being processed.
Evaluation occurs at the last stage of license restoration when playback
information from the usage table is being restored.
This only need to occur for when licenses are being restored. In other
cases when a license or renewal is received, license state evaluation
and event listener notification needs to occur immediately.
Bug: 166131956
Test: WV unit/integration tests, GtsMediaTestCases tests
Change-Id: Ic8ade25316c5e20cc88de9225c43c24b28f21ac4
[ Merge of http://go/wvgerrit/105743 ]
Device ID is no longer reported directly in provisioning/license
request or used by ClientIdentification. It does not need to be passed
in during initialization.
Bug: 168085721
Test: WV unit/integration tests
Change-Id: I483eac963c3f40784e42e1a2b917fcc96aa76a05
Merge from http://go/wvgerrit/105767
To avoid conflict with metrics.proto in
frameworks/av/drm/libmediadrm/proto.
This is in preparation of moving metrics_dump tool
to build under Android.
bug: 161783052
Test: unit test
Test: Play Movies & Tv and Netflix streaming
Change-Id: I2406b66db4d61cca7c6260ea8847a555d96c8d42
[ Merge of http://go/wvgerrit/105025 ]
Clang and GCC allow for warnings against the arguments for printf-like
functions (e.i. LOGx). These validate that the format type specified
in the format string match the corresponding argument type.
Most of the time, format specifer errors are benign; hence why they
haven't been seen as an error so far. However, with the enabling of
specifier warnings and the enabling of warnings as errors on certain
platforms, these existing errors need to be addressed.
This CL enables format specifier warnings for most of the Widevine
code, with the OEMCrypto L3 implementation which has a single error
which requires a fix in the haystack code before being fixed in the
Widevine branch.
Strict format string warnings are not enabled for non-LP64 systems.
Bug: 137583127
Test: Compiled for Linux and Android
Change-Id: I051398332d31a20457b86563a90ad8f6d428445f
[ Merge of http://go/wvgerrit/105343 ]
If a device only supports local display (eliminating the need for an
SRM version), then the CDM should treat this as no SRM version.
Bug: 166009716
Test: License request integration test
Change-Id: I2d9c3f98735563df6d7c7a287abab41bf0a8c513
This CL builds the Widevine drm services and libraries.
Soong makefile conversion for unit and integration
tests will be in a different CL.
This doc may help with the review:
https://docs.google.com/document/d/1lK3X9RFPwbbwewLNlS4TfSMhxIlPuAkHRnGcgwWpChU/edit?usp=sharing
Test: build
Test: Play Movies and Netflix streaming
Test: unit tests
build_and_run_all_tests.sh
Test: gts
ANDROID_BUILD_TOP= ./android-gts/tools/gts-tradefed run gts -m GtsMediaTestCases -t com.google.android.media.gts.MediaDrmTest
atest GtsExoPlayerTestCases:com.google.android.exoplayer.gts.DashTest
Test: vts
ANDROID_BUILD_TOP= PATH="$PWD/android-vts/tools:$PATH" vts-tradefed run commandAndExit vts --module VtsHalDrmV1_3Target
Bug: 162321744
Change-Id: I50c0fb2e8f28dfe7901587e3d3203542943e23b1
Merge from Widevine repo of http://go/wvgerrit/102843
The test WvCdmEngineTest.LicenseRenewal is split into two tests. One
test verifies that the renewal may be fetched from the server
specified in the license. The second test verifies that the renewal
may be fetched from the same server that the license was fetched from.
These might be the same server, but when we run against an
experimental server, a staging server, or UAT Nightly, these
will be different.
Test: ran the tests
Bug: 141438127
Change-Id: Ia11441bd2ba0c6ddb264ee38bfcb5060b9ddb476
(This is a cherry-pick of http://go/wvgerrit/104184.)
UBSan has detected several places where our code tripped over what is
technically Undefined Behavior when handling enums, although in practice
any compiler would still generate safe code.
Some of these were places a variable was not being initialized and thus
was filled with garbage data. These have been fixed.
Understanding the rest depends on a bit of C++ trivia I had certainly
never heard before: An enum that doesn't specify its backing type will
frequently have a gap between the range of values the compiler will let
it take (which is limited only by the size of the backing type assigned
by the C++ standard) and the range of values for which the C++ standard
defines the behavior. (which is limited by the minimum number of bits
needed to hold the largest valid enumeration entry) So, for example, an
enum containing ten entries numbered 0 through 9 would be stored in
memory as an int and could thus take any value in the range of an int.
But it only takes 4 bits to represent the numbers 0 through 9. The
largest number that can be represented in 4 bits is 15. So reading the
value of a variable of this enum type when its stored value is outside
the range 0 to 15 is undefined behavior.
An enum that specifies its backing type is not subject to this because
it is defined behavior to access any value representable in the backing
type if one was explicitly specified.
If you think this sounds a bit silly, you'll be happy to know it doesn't
apply from C++17 onwards and most compilers generate code that handles
the undefined behavior values correctly.
Nonetheless, to appease UBSan and protect us from any compilers that
actually rely on this undefined behavior for optimizations, I have
defined backing types for all our enums. I have defaulted to the type
the compiler was already using (int32) and have deviated only where an
enum exists to be compared to or filled from a protobuf field and that
field in the protobuf is unsigned, in which case I used a uint32.
In the case of the CE CDM exported API, this also required changing our
enums from C-style to C++-style.
Bug: 163080356
Test: CE CDM Build & Unit Tests Pass even with UBSan
Test: Android Build & Tests
Change-Id: Id7e0064129e7c4d2827bb4a94825d144eeaacec8
[ Merge of http://go/wvgerrit/103395 ]
To help with debugging failures in HTTP requests during unit tests,
this CL adds logging for Google's debugging response header fields.
These fields are of the type "X-Google-*" or "x-google-*" and provide
information such as the service name, server cell, error details, and
other details that can help isolate the cause of failure on the
server's end.
An additional unittest has been created to test the parser for the
header fields.
Tests that are known to exprience HTTP failures have been extended
to include logs for these fields should they be present.
Bug: 137619348
Test: Linux unit tests and Jenkins test
Change-Id: I69959af2ba91510f345bbb02cf7ca35c3f1119da
[ Merge of http://go/wvgerrit/103684 ]
[ Cherry pick of http://ag/12221244 ]
The OEMCrypto method for usage table capacity can return zero to
indicate that the usage table size is not explicitly limited. The
CDM must handle this case with regard to the CDM's usage table
management and information querying.
The usage table initialization tests are extended to include cases
where the table does not have a defined limit.
AddEntry() was missing call to update the usage table header after
creating a new usage entry. This call is now included and required
additional changes to the usage table unit tests.
Bug: 160560364
Test: Android unit tests
Change-Id: Ica5d181092d2938d24deba5005a211ca883cb0f0
[ Merge of http://go/wvgerrit/102945 ]
The OEMCrypto method for usage table capacity can return zero to
indicate that the usage table size is not explicitly limited. The
CDM must handle this case with regard to the CDM's usage table
management and information querying.
The usage table initialization tests are extended to include cases
where the table does not have a defined limit.
AddEntry() was missing call to update the usage table header after
creating a new usage entry. This call is now included and required
additional changes to the usage table unit tests.
Bug: 160560364
Test: Android unit tests
Change-Id: Ica5d181092d2938d24deba5005a211ca883cb0f0
[ Merge of http://go/wvgerrit/103243 ]
In v16, OEMCrypto specifications required that an error be returned if
multiple attempts are made to load an offline license into a session.
This caused the GTS test testConcurrentDrmCertificates to fail. It was
introduced to verify that a license could retrieved and loaded into a
session and then restored. This was based on an app use case.
Ideally we would like to disallow a this behavior but need to make sure
it is not being used by apps.
For now this will be allowed. If detected, the CDM will reintialize the
OEMCrypto session and allow the license to be restored.
Bug: 161551490
Test: WV unit integration tests, GtsMediaTestCases and
WidevineConcurrentDrmCertificatesTest#testConcurrentDrmCertificates,
MediaDrmTest#testMultipleLoadKeys on a redfin
Change-Id: I0834e4419c3a6dccfd77aaea3afa3d65c2c0c742
[ Merge of http://go/wvgerrit/102923 ]
Avoid logging an error, on first boot, when trying to retrieve a
certificate that does not yet exist.
Bug: 161201883
Test: WV unit/integration tests
Change-Id: I293f9766a7f2024107d0db45a874a9478b0c3959
Base class uses license_start_time_ which is not updated on renewals.
Merge of http://go/wvgerrit/103123
Bug: 161023174
Bug: 161621246
Test: WidevineDashPolicyTests#testL1RenewalDelay5S
Test: WidevineDashPolicyTests#testL1RenewalDelay13S
Change-Id: I16056d492bea4dd721984998b5cf38409fe3b055
[ Merge of http://go/wvgerrit/102167 ]
After changes made to how the usage table is defragged by the CDM,
it was determined that there is no use in selecting more than a single
entry from the usage table to evict. The only failure that can occur
when evicting an entry is if the last entry is in use, in that case,
evicting other entries will still result in a failure.
This change cleans up the LRU algorithm and test cases to reflect
the new functionality.
Bug: 155230578
Test: Linux unit tests
Change-Id: I817c039670d9f72c0e4f6c3fdac45c98ed5b6b21
[ Merge of http://go/wvgerrit/102108 ]
Several tests that make parallel license requests were disabled due
to a flaky server failure unrelated to CDM code. Most of these tests
are now re-enabled to ensure the multi-threaded license requests is
functional on V16.
These tests remains disabled for L3 due to continued flakiness.
Added a lock around the initialization of the SSL library to prevent
issues with license requests getting garbled.
Bug: 137619348
Test: Linux and Android unit tests
Change-Id: Idffaa6039b2bde12613bb5033af32d1af6704c76
(This is a merge of http://go/wvgerrit/102084.)
No one was claiming ownership of the metrics object in
CertificateProvisioningTest, resulting in a leak. This patch makes the
test hold onto ownership.
Bug: 159486086
Test: CE CDM Unit Tests
Test: Android Unit Tests
Change-Id: I84710782b7a60d6bd3a7eda981de4f0af877fc39
(This is a merge of http://go/wvgerrit/102104)
The device file unit tests use some custom matchers that were written
back when we didn't have C++11. Because gMock requires std::tuple to
pass a pointer AND a length to a matcher, these matchers had to estimate
the length of the file. This technically meant they were causing a
benign buffer overrun sometimes.
Since we have C++11 now, we can fix this by using a matcher over a
std::pair of the pointer and length. I also took the opportunity to
refactor the matchers a little. The old matchers had many very specific
overloads and also collided with the names of some standard gMock
matchers. Now there are just two more-general matchers with unique
names.
Test: CE CDM Unit Tests
Test: Android Unit Tests
Bug: 159463905
Change-Id: I758b140226bfe2bae6962ee5c64fd6af186b5819
[ Merge of http://go/wvgerrit/102109 ]
The CDM was using unique CDM error codes for the various cases
where OEMCrypto would return INSUFFICIENT_RESOURCE. However, these
error codes were being incorrectly mapped at the Android level,
resulting in incorrect errors in the MediaDRM layer.
At no point does the CDM handle different INSUFFICIENT_RESOURCE_x
within the same case, as such the use of unique codes are limited.
This CL removes the unique codes, and unifies them under the same
CDM error code.
This CL also extends SelectKey to handle error codes returned by
LoadEntitledContentKeys.
Bug: 154682842
Test: Unit tests
Change-Id: I319fabf6cac60b0dc19ea891609689daeeaeb435
[ Merge of http://go/wvgerrit/100905 and http://go/ag/10708438 ]
Add support for ATSC certificate and licenses handling. ATSC
files are distinguished from the apps DRM certificate and licenses
by file naming conventions.
Bug: 139730600
Test: WV unit/integration test, GtsMediaTestCases
Change-Id: I295f66f92fe01d7716978deac9dc360d74addedd
[ Merge of http://go/wvgerrit/100864 and http://go/ag/10704773 ]
ATSC 3.0 allows for licenses to be downloaded OTA and are tied to
a DRM certificate that may be shared across apps. The provisioning
process for ATSC may happen at the factory or during an OS update.
This contrasts from the regular OTT model, which requires that
provisioning and license download have an uplink as well as a
downlink connection.
This adds support for the ATSC mode property. ATSC mode can only be
set (or unset) before sessions are opened. Once the CDM identifier is
set/sealed, requests to modify the ATSC mode will be rejected.
If one needs to open sessions with both ATSC mode and regular (non-ATSC)
mode, separate MediaDrm objects will need to be created. The default
mode is to not use ATSC.
Enable ATSC mode by calling
mediaDrm.setPropertyString("atscMode", "enable")
Disable ATSC mode by calling
mediaDrm.setPropertyString("atscMode", "disable")
Provisioning and unprovisioning requests for ATSC will be rejected as
certificates will be retrieved by the ATSC service.
Bug: 139730600
Test: WV unit/integration test, GtsMediaTestCases
Change-Id: I142f286c711fe007ff42125c3c8cdc6450b6ea36
Merge from Widevine repo of http://go/wvgerrit/99843
When processing a license release, the license is not loaded, so
OEMCrypto does not know nonce version information for the core
message. It assumes that all license releases are v15, so it is not an
error for a license release to not have a core message.
This CL also adds some extra logging to tests so that we can track
content id and the pssh. This CL also updates some of the test content
policies when running the local license server. The local license
server is only used for debugging problems.
Bug: 152648172 Integration test WvCdmEngineTest.LicenseRenewal failing
Bug: 156259697 License release does not need core message
Test: Unit tests with v16 mod mock
Change-Id: I04c896adadfb17877ce1115345d2419e0d2489f0
[ Merge of http://go/wvgerrit/96071 ]
Changes to how the usage table method InvalidateEntry() behaves
required additional changes to CDM code that uses this method.
This involved some refactoring to AddEntry(), moving the LRU
related code to its own function.
A few unittests had to be changed / removed as the moving
multiple entries changes expectations of several existing tests.
Several additional helper methods have been created to improve
readability. These include getters for information about the
usage table, a method for releasing stale entries, and a method of
recording LRU metrics.
Bug: 150890014
Bug: 150887808
Bug: 154269671
Test: Linux unit tests and Android unit tests
Change-Id: I11a98f9a2dea9b2ae57b37d7d4483a37be721763
[ Merge of http://go/wvgerrit/95365 ]
The changes made to how DeleteEntry (now InvalidateEntry) works
introduced a few additional edge cases which were not covered from the
previous set of unit tests.
Bug: 150887808
Bug: 149100568
Test: Linux unit tests and Android unit tests
Change-Id: I263b72fb708c6546294af23ae5ddbd2e82da34df
[ Merge of http://go/wvgerrit/95406 ]
There was an issue with DeleteEntry() where it would result in an
invalid table state if shrinking the usage table when the number of
sessions is at its max.
This required changing how the usage table invalidates entries. Now,
after invalidating an entry (marking an entry as kStorageTypeUnknown)
the table is defragmented if specified to.
Defragmentation involves:
1) Move valid entries near the end of the table to the position of
invalid entries near the front of the table.
2) Shrinking the table to cut off trailing invalid entries.
This change updates the existing tests to pass, but still needs new
tests for some of the edge cases.
Bug: 150887808
Bug: 149100568
Test: Linux unit tests and Android unit tests
Change-Id: I70c7b296e5e4b367746fcdaabbf0f12dcfb39230
[ Merge of http://go/wvgerrit/97963 ]
There are situations where an offline license file will remain on the
system after it's usage entry has been deleted. This would result in
its key set ID being reported as present by the CDM, but any
operations acting upon it will result in an error.
The app should be able to remove the license without error, so long
as the license file exists and no other OEMCrypto operations fail.
This change introduces a new error code LICENSE_USAGE_ENTRY_MISSING,
which indicates that a license's usage entry cannot be found.
A new integration test checks that the CDM can handle the calls to
removeOfflineLicense().
Bug: 137034719
Test: Android unit and integration tests
Change-Id: Ibdbe963b7f7e3ac97b446300d8e3896cdee7abc5
[ Merge of http://go/wvgerrit/97267 ]
In earlier releases, provisioning would occur based on a cached
security level. If an open session call returned a NotProvisionedException
the security level would be cached for use with any future provisioning
call.
An app would have to set the security level, then call openSession,
have it fail and then request provisioning. This fits the normal flow of
most apps. Still on occasion, an app might change requested security level
after an openSession call failed. Using the cached security level
would result in unexpected behavior.
This change allows provisioning to occur at the last security level that
was set.
Bug: 129356527
Test: wv unit/integration tests, GTS tests (GtsMediaTestCases)
Merged-In: I8d9234eec2b23a9c913e77a709943b431e25e43e
Change-Id: I8d9234eec2b23a9c913e77a709943b431e25e43e
[ Merge of http://go/wvgerrit/98694 and http://go/ag/11052323 ]
In earlier releases, provisioning would occur based on a cached
security level. If an open session call returned a NotProvisionedException
the security level would be cached for use with any future provisioning
call.
An app would have to set the security level, then call openSession,
have it fail and then request provisioning. This fits the normal flow of
most apps. Still on occasion, an app might change requested security level
after an openSession call failed. Using the cached security level
would result in unexpected behavior.
This change allows provisioning to occur at the last security level that
was set.
Bug: 129356527
Test: wv unit/integration tests, GTS tests (GtsMediaTestCases)
Change-Id: I8d9234eec2b23a9c913e77a709943b431e25e43e
[ Merge of http://go/wvgerrit/98467 ]
The issue with intermediate provisioning request failures with the
development provisioning server has been resolved in b/139206968.
This change removes the provisioning retry loop which was a workaround
for the CDM unit tests. Should the issue re-arise, it would be useful
to detect it in our unit tests.
Bug: 139361531
Test: Linux unit tests
Change-Id: Ib44c56c740efea562803d3f8f93ffd62bd95e485
[ Merge of http://go/wvgerrit/95405 ]
There are several OEMCrypto functions that do not require an open
session to be called. This change updates the OEMCrypto functions
related to the Usage Table Header.
Bug: 150888316
Test: Linux unit tests and Android build
Change-Id: Ic879876dd190fb3e058bbe8e0cce37273030b105
[ Merge of http://go/wvgerrit/95404 ]
There are three situtations where error codes from a usage table
operations were not being mapped to unique CDM response types. These
particular errors provide useful information for the CDM during table
defragging.
Also fixed misspelled error code.
Bug: 150890014
Bug: 150891685
Test: Linux unit tests and Android build
Change-Id: I683abdd5fc0871317eede960ea36cfafac7e7f49
Merge from Widevine repo of http://go/wvgerrit/94505
Some tests use an EXPECT when checking an array size or to verify a
pointer is not null. Then they access the pointer or array. When they
use an EXPECT, this access results in a segfault.
I also removed a compiler warning about unused parameters.
Bug: 149856581
Test: request_license_test (now lists failed tests)
Change-Id: I08ac11250921245c89ed5c0c43cc5f4321e0a9cc
(This is a merge of http://go/wvgerrit/93829,
http://go/wvgerrit/93830, http://go/wvgerrit/93832,
http://go/wvgerrit/93833, and http://go/wvgerrit/93834 from the
Widevine repo.)
This implements the CDM code changes necessary to take advantage of
Combined Decrypt Calls on OEMCrypto v16. The result of this is that
WVCryptoPlugin is much lighter now because it can pass the full sample
down to the core in one call, but CryptoSession is heavier, as it now
has to handle more complex fallback logic when devices can't handle
multiple subsamples at once.
This patch also removes support for the 'cens' and 'cbc1' schema, which
are being dropped in OEMCrypto v16. This fixes an overflow in the code
for handling those schemas by removing it entirely.
This patch also fixes the "in chunks" legacy decrypt path to use larger
chunk sizes on devices with higher resource rating tiers.
Bug: 135285640
Bug: 123435824
Bug: 138584971
Bug: 139257871
Bug: 78289910
Bug: 149361893
Test: no new CE CDM Unit Test failures
Test: Google Play plays
Test: Netflix plays
Test: no new GTS failures
Change-Id: Ic4952c9fa3bc7fd5ed08698e88254380a7a18514
[ Merge of http://go/wvgerrit/93865 ]
This allows for handling of timer and clock values as supported when both
the license service and the OEMCrypto on the device support v16.
A flag based on a value in the SignedResponse license indicates
whether this support should be enabled. A new class PolicyTimerV16
performs the duration value evaluation.
Bug: 139372190
Test: Android WV unit/integration tests
Change-Id: Iacbbd51ad26c9f29cb5418ff832f8822982644b7
