(This is a cherry-pick of http://go/wvgerrit/104184.)
UBSan has detected several places where our code tripped over what is
technically Undefined Behavior when handling enums, although in practice
any compiler would still generate safe code.
Some of these were places a variable was not being initialized and thus
was filled with garbage data. These have been fixed.
Understanding the rest depends on a bit of C++ trivia I had certainly
never heard before: An enum that doesn't specify its backing type will
frequently have a gap between the range of values the compiler will let
it take (which is limited only by the size of the backing type assigned
by the C++ standard) and the range of values for which the C++ standard
defines the behavior. (which is limited by the minimum number of bits
needed to hold the largest valid enumeration entry) So, for example, an
enum containing ten entries numbered 0 through 9 would be stored in
memory as an int and could thus take any value in the range of an int.
But it only takes 4 bits to represent the numbers 0 through 9. The
largest number that can be represented in 4 bits is 15. So reading the
value of a variable of this enum type when its stored value is outside
the range 0 to 15 is undefined behavior.
An enum that specifies its backing type is not subject to this because
it is defined behavior to access any value representable in the backing
type if one was explicitly specified.
If you think this sounds a bit silly, you'll be happy to know it doesn't
apply from C++17 onwards and most compilers generate code that handles
the undefined behavior values correctly.
Nonetheless, to appease UBSan and protect us from any compilers that
actually rely on this undefined behavior for optimizations, I have
defined backing types for all our enums. I have defaulted to the type
the compiler was already using (int32) and have deviated only where an
enum exists to be compared to or filled from a protobuf field and that
field in the protobuf is unsigned, in which case I used a uint32.
In the case of the CE CDM exported API, this also required changing our
enums from C-style to C++-style.
Bug: 163080356
Test: CE CDM Build & Unit Tests Pass even with UBSan
Test: Android Build & Tests
Change-Id: Id7e0064129e7c4d2827bb4a94825d144eeaacec8
[ Merge of http://go/wvgerrit/103243 ]
Include review comments from wv gerrit CL.
Bug: 161551490
Test: WV unit integration tests, GtsMediaTestCases and
WidevineConcurrentDrmCertificatesTest#testConcurrentDrmCertificates,
MediaDrmTest#testMultipleLoadKeys on a redfin
Change-Id: Ie9b41a2e68b95692f9353578f6955637411d4dfc
[ Merge of http://go/wvgerrit/103395 ]
To help with debugging failures in HTTP requests during unit tests,
this CL adds logging for Google's debugging response header fields.
These fields are of the type "X-Google-*" or "x-google-*" and provide
information such as the service name, server cell, error details, and
other details that can help isolate the cause of failure on the
server's end.
An additional unittest has been created to test the parser for the
header fields.
Tests that are known to exprience HTTP failures have been extended
to include logs for these fields should they be present.
Bug: 137619348
Test: Linux unit tests and Jenkins test
Change-Id: I69959af2ba91510f345bbb02cf7ca35c3f1119da
[ Merge of http://go/wvgerrit/103684 ]
[ Cherry pick of http://ag/12221244 ]
The OEMCrypto method for usage table capacity can return zero to
indicate that the usage table size is not explicitly limited. The
CDM must handle this case with regard to the CDM's usage table
management and information querying.
The usage table initialization tests are extended to include cases
where the table does not have a defined limit.
AddEntry() was missing call to update the usage table header after
creating a new usage entry. This call is now included and required
additional changes to the usage table unit tests.
Bug: 160560364
Test: Android unit tests
Change-Id: Ica5d181092d2938d24deba5005a211ca883cb0f0
[ Merge of http://go/wvgerrit/102945 ]
The OEMCrypto method for usage table capacity can return zero to
indicate that the usage table size is not explicitly limited. The
CDM must handle this case with regard to the CDM's usage table
management and information querying.
The usage table initialization tests are extended to include cases
where the table does not have a defined limit.
AddEntry() was missing call to update the usage table header after
creating a new usage entry. This call is now included and required
additional changes to the usage table unit tests.
Bug: 160560364
Test: Android unit tests
Change-Id: Ica5d181092d2938d24deba5005a211ca883cb0f0
[ Merge of http://go/wvgerrit/103243 ]
In v16, OEMCrypto specifications required that an error be returned if
multiple attempts are made to load an offline license into a session.
This caused the GTS test testConcurrentDrmCertificates to fail. It was
introduced to verify that a license could retrieved and loaded into a
session and then restored. This was based on an app use case.
Ideally we would like to disallow a this behavior but need to make sure
it is not being used by apps.
For now this will be allowed. If detected, the CDM will reintialize the
OEMCrypto session and allow the license to be restored.
Bug: 161551490
Test: WV unit integration tests, GtsMediaTestCases and
WidevineConcurrentDrmCertificatesTest#testConcurrentDrmCertificates,
MediaDrmTest#testMultipleLoadKeys on a redfin
Change-Id: I0834e4419c3a6dccfd77aaea3afa3d65c2c0c742
[ Merge of http://go/wvgerrit/102923 ]
Avoid logging an error, on first boot, when trying to retrieve a
certificate that does not yet exist.
Bug: 161201883
Test: WV unit/integration tests
Change-Id: I293f9766a7f2024107d0db45a874a9478b0c3959
Base class uses license_start_time_ which is not updated on renewals.
Merge of http://go/wvgerrit/103123
Bug: 161023174
Bug: 161621246
Test: WidevineDashPolicyTests#testL1RenewalDelay5S
Test: WidevineDashPolicyTests#testL1RenewalDelay13S
Change-Id: I16056d492bea4dd721984998b5cf38409fe3b055
Merge from Widevine repo of http://go/wvgerrit/103107
When an offline license is reloaded, if it does not have a usage entry
to indicate when the rental clock was started, the start time defaults
to 0 in the ODK library (in OEMCrypto). This CL changes the code to
start the rental clock in this case. It does this by signing a dummy
message, which triggers the ODK library to start the rental clock.
Bug: 161585265
Bug: 161023174
Test: GTS tests. http://go/forrest-run/L55100000642199761
Change-Id: I4cf555b2fb43009ffb62e7b2c1a37265c3f70bfe
Merge from Widevine repo of http://go/wvgerrit/102783
When OEMCrypto is v16, but the license server is v15, we should not
create a new nonce for a license renewal. However, the request does
need a nonce or the license server will not generate a valid key
control block. So we should use the nonce that came from the original
license.
Bug: 160676790
Test: tested playback using netflix
Test: GTS tests. http://go/forrest-run/L55100000642199761
Change-Id: Ie1644b5abe0662387edf01f6110d82f70a64df6c
Add options to dump Widevine Cdm properties,
Widevine Cdm metrics, or both.
The valid arguments are Cdm Metrics (m|M) or Cdm Properties (p|P).
If no arguments are provided, both Cdm properties and
Cdm metrics will be displayed.
Test: adb shell lshal debug [drm service] [m/p]
adb shell lshal debug android.hardware.drm@1.3::IDrmFactory/widevine
Bug: 154027349
Change-Id: I95c10dd7d4274226936295c73be4eb1612c2ef6a
[ Merge of http://go/wvgerrit/102167 ]
After changes made to how the usage table is defragged by the CDM,
it was determined that there is no use in selecting more than a single
entry from the usage table to evict. The only failure that can occur
when evicting an entry is if the last entry is in use, in that case,
evicting other entries will still result in a failure.
This change cleans up the LRU algorithm and test cases to reflect
the new functionality.
Bug: 155230578
Test: Linux unit tests
Change-Id: I817c039670d9f72c0e4f6c3fdac45c98ed5b6b21
[ Merge of http://go/wvgerrit/102108 ]
Several tests that make parallel license requests were disabled due
to a flaky server failure unrelated to CDM code. Most of these tests
are now re-enabled to ensure the multi-threaded license requests is
functional on V16.
These tests remains disabled for L3 due to continued flakiness.
Added a lock around the initialization of the SSL library to prevent
issues with license requests getting garbled.
Bug: 137619348
Test: Linux and Android unit tests
Change-Id: Idffaa6039b2bde12613bb5033af32d1af6704c76
(This is a merge of http://go/wvgerrit/102084.)
No one was claiming ownership of the metrics object in
CertificateProvisioningTest, resulting in a leak. This patch makes the
test hold onto ownership.
Bug: 159486086
Test: CE CDM Unit Tests
Test: Android Unit Tests
Change-Id: I84710782b7a60d6bd3a7eda981de4f0af877fc39
(This is a merge of http://go/wvgerrit/102104)
The device file unit tests use some custom matchers that were written
back when we didn't have C++11. Because gMock requires std::tuple to
pass a pointer AND a length to a matcher, these matchers had to estimate
the length of the file. This technically meant they were causing a
benign buffer overrun sometimes.
Since we have C++11 now, we can fix this by using a matcher over a
std::pair of the pointer and length. I also took the opportunity to
refactor the matchers a little. The old matchers had many very specific
overloads and also collided with the names of some standard gMock
matchers. Now there are just two more-general matchers with unique
names.
Test: CE CDM Unit Tests
Test: Android Unit Tests
Bug: 159463905
Change-Id: I758b140226bfe2bae6962ee5c64fd6af186b5819
[ Merge of http://go/wvgerrit/102109 ]
The CDM was using unique CDM error codes for the various cases
where OEMCrypto would return INSUFFICIENT_RESOURCE. However, these
error codes were being incorrectly mapped at the Android level,
resulting in incorrect errors in the MediaDRM layer.
At no point does the CDM handle different INSUFFICIENT_RESOURCE_x
within the same case, as such the use of unique codes are limited.
This CL removes the unique codes, and unifies them under the same
CDM error code.
This CL also extends SelectKey to handle error codes returned by
LoadEntitledContentKeys.
Bug: 154682842
Test: Unit tests
Change-Id: I319fabf6cac60b0dc19ea891609689daeeaeb435
[ Merge of http://go/wvgerrit/102068 ]
CDM sessions should not be able to load multiple usage entries.
OEMCrypto already prevents multiple entries from being loaded by the
same OEMCrypto session; however, restoring a key typically creates a
new OEMCrypto session, which should not be allowed twice within the
same CDM session.
This test verifies that CDM returns an error if restore key is called
multiple times within the same session.
Bug: 136143733
Test: Android integration test
Change-Id: I594c91250217fd958837328162f909bc931d373f
[ Merge of http://go/wvgerrit/101443 ]
The WVDrmPlugin has a single CdmIdentifier. The CdmIdentifier contains
a SPOID that is calculated from the device ID (keybox or OEM cert),
an application reverse domain name and possibly an origin.
The CdmIdentifier is set and SPOID calculated on certain calls into
WVDrmPlugin. Once it is set, it will not be recalculated. We prevent
certain operations such as modifying the origin once the CdmIdentifier
has been set as this will require recalculating the SPOID.
Recalculating the SPOID may affect open sessions or calls in progress.
In a similar way, modifying the security level, will affect the
Device ID value and in turn the SPOID. The security level cannot be modified
if any sessions are open. This does leave open the possibility that the
SPOID may be calculated at one security level, sessions are then closed,
and the security level is then changed without an error being flagged.
The provisioning certificate file name is based on the SPOID. When
the SPOID does not match the security level, either the provisioning
information may not be found even though that security level has
been provisionined or the provisioning information may be stored
in an incorrect location if provisioning occurs.
The correct solution is to prevent modifications to the security level
once the CdmIdentifier is set. This is a behavior change and might
impact apps. We will reevaluate this for the next release.
For now, we will work around this. When the CdmIdentifier is set for L3,
we will calculate SPOIDs with both L1 and L3 device IDs and check if
provisioning previously occurred with SPOIDs calculated for that level.
If so, use that level, otherwise use L3.
Bug: 147703382
Test: Android unit/integration tests, GtsMediaDrmTests
Change-Id: Ia64adfc5848e431ee3876af03eebdb4b6eb83116
[ Merge of http://go/wvgerrit/100905 and http://go/ag/10708438 ]
Add support for ATSC certificate and licenses handling. ATSC
files are distinguished from the apps DRM certificate and licenses
by file naming conventions.
Bug: 139730600
Test: WV unit/integration test, GtsMediaTestCases
Change-Id: I295f66f92fe01d7716978deac9dc360d74addedd
[ Merge of http://go/wvgerrit/100864 and http://go/ag/10704773 ]
ATSC 3.0 allows for licenses to be downloaded OTA and are tied to
a DRM certificate that may be shared across apps. The provisioning
process for ATSC may happen at the factory or during an OS update.
This contrasts from the regular OTT model, which requires that
provisioning and license download have an uplink as well as a
downlink connection.
This adds support for the ATSC mode property. ATSC mode can only be
set (or unset) before sessions are opened. Once the CDM identifier is
set/sealed, requests to modify the ATSC mode will be rejected.
If one needs to open sessions with both ATSC mode and regular (non-ATSC)
mode, separate MediaDrm objects will need to be created. The default
mode is to not use ATSC.
Enable ATSC mode by calling
mediaDrm.setPropertyString("atscMode", "enable")
Disable ATSC mode by calling
mediaDrm.setPropertyString("atscMode", "disable")
Provisioning and unprovisioning requests for ATSC will be rejected as
certificates will be retrieved by the ATSC service.
Bug: 139730600
Test: WV unit/integration test, GtsMediaTestCases
Change-Id: I142f286c711fe007ff42125c3c8cdc6450b6ea36
(This is a merge of http://go/wvgerrit/101423 to Android.)
This header was missing. On the STL used inside Google, it gets included
transitively, but this is not guaranteed and broke in a partner's STL.
Bug: 154185251
Test: Android Build
Test: CE CDM Build and Unit Tests
Change-Id: If8df7e288073e69250f98d67f732804a955bbaa3
[ Merge of http://go/wvgerrit/100403 ]
VersionNumberTest.VersionNumberChangeCanary was expecting a version
string of "R". However, Android rvc branch is now far enough into
development to use a numbered version: version "11".
Bug: 156853733
Test: Android license request test
Change-Id: I63d33f742c849b672b2d2402ab8423fdf2450f6f
