[ Merge of http://go/wvgerrit/102109 ]
The CDM was using unique CDM error codes for the various cases
where OEMCrypto would return INSUFFICIENT_RESOURCE. However, these
error codes were being incorrectly mapped at the Android level,
resulting in incorrect errors in the MediaDRM layer.
At no point does the CDM handle different INSUFFICIENT_RESOURCE_x
within the same case, as such the use of unique codes are limited.
This CL removes the unique codes, and unifies them under the same
CDM error code.
This CL also extends SelectKey to handle error codes returned by
LoadEntitledContentKeys.
Bug: 154682842
Test: Unit tests
Change-Id: I319fabf6cac60b0dc19ea891609689daeeaeb435
[ Merge of http://go/wvgerrit/100905 and http://go/ag/10708438 ]
Add support for ATSC certificate and licenses handling. ATSC
files are distinguished from the apps DRM certificate and licenses
by file naming conventions.
Bug: 139730600
Test: WV unit/integration test, GtsMediaTestCases
Change-Id: I295f66f92fe01d7716978deac9dc360d74addedd
[ Merge of http://go/wvgerrit/100864 and http://go/ag/10704773 ]
ATSC 3.0 allows for licenses to be downloaded OTA and are tied to
a DRM certificate that may be shared across apps. The provisioning
process for ATSC may happen at the factory or during an OS update.
This contrasts from the regular OTT model, which requires that
provisioning and license download have an uplink as well as a
downlink connection.
This adds support for the ATSC mode property. ATSC mode can only be
set (or unset) before sessions are opened. Once the CDM identifier is
set/sealed, requests to modify the ATSC mode will be rejected.
If one needs to open sessions with both ATSC mode and regular (non-ATSC)
mode, separate MediaDrm objects will need to be created. The default
mode is to not use ATSC.
Enable ATSC mode by calling
mediaDrm.setPropertyString("atscMode", "enable")
Disable ATSC mode by calling
mediaDrm.setPropertyString("atscMode", "disable")
Provisioning and unprovisioning requests for ATSC will be rejected as
certificates will be retrieved by the ATSC service.
Bug: 139730600
Test: WV unit/integration test, GtsMediaTestCases
Change-Id: I142f286c711fe007ff42125c3c8cdc6450b6ea36
(This is a merge of http://go/wvgerrit/101423 to Android.)
This header was missing. On the STL used inside Google, it gets included
transitively, but this is not guaranteed and broke in a partner's STL.
Bug: 154185251
Test: Android Build
Test: CE CDM Build and Unit Tests
Change-Id: If8df7e288073e69250f98d67f732804a955bbaa3
(This is a merge of http://go/wvgerrit/100051. However, only one part of
that change affects the Android code, so I have filtered this
description.)
By default, the CDM builds with Clang on Android and on developers' dev
boxes. The buildbot builds most of the code with an old version of GCC.
However, recent versions of GCC were refusing to build our code for a
variety of reasons. This patch fixes the codebase up so that the
version of GCC 9 included on gLinux workstations can compile the CDM.
The only change that affects Android is that a variable was being set
but never read in one place.
Test: Android Unit Tests
Bug: 145245240
Bug: 152449437
Change-Id: Iaeb0531652bb8e7bd69f850fc6b4bba1efa3271b
Merge from Widevine repo of http://go/wvgerrit/99843
When processing a license release, the license is not loaded, so
OEMCrypto does not know nonce version information for the core
message. It assumes that all license releases are v15, so it is not an
error for a license release to not have a core message.
This CL also adds some extra logging to tests so that we can track
content id and the pssh. This CL also updates some of the test content
policies when running the local license server. The local license
server is only used for debugging problems.
Bug: 152648172 Integration test WvCdmEngineTest.LicenseRenewal failing
Bug: 156259697 License release does not need core message
Test: Unit tests with v16 mod mock
Change-Id: I04c896adadfb17877ce1115345d2419e0d2489f0
[ Merge of http://go/wvgerrit/96071 ]
Changes to how the usage table method InvalidateEntry() behaves
required additional changes to CDM code that uses this method.
This involved some refactoring to AddEntry(), moving the LRU
related code to its own function.
A few unittests had to be changed / removed as the moving
multiple entries changes expectations of several existing tests.
Several additional helper methods have been created to improve
readability. These include getters for information about the
usage table, a method for releasing stale entries, and a method of
recording LRU metrics.
Bug: 150890014
Bug: 150887808
Bug: 154269671
Test: Linux unit tests and Android unit tests
Change-Id: I11a98f9a2dea9b2ae57b37d7d4483a37be721763
[ Merge of http://go/wvgerrit/95365 ]
The changes made to how DeleteEntry (now InvalidateEntry) works
introduced a few additional edge cases which were not covered from the
previous set of unit tests.
Bug: 150887808
Bug: 149100568
Test: Linux unit tests and Android unit tests
Change-Id: I263b72fb708c6546294af23ae5ddbd2e82da34df
[ Merge of http://go/wvgerrit/95406 ]
There was an issue with DeleteEntry() where it would result in an
invalid table state if shrinking the usage table when the number of
sessions is at its max.
This required changing how the usage table invalidates entries. Now,
after invalidating an entry (marking an entry as kStorageTypeUnknown)
the table is defragmented if specified to.
Defragmentation involves:
1) Move valid entries near the end of the table to the position of
invalid entries near the front of the table.
2) Shrinking the table to cut off trailing invalid entries.
This change updates the existing tests to pass, but still needs new
tests for some of the edge cases.
Bug: 150887808
Bug: 149100568
Test: Linux unit tests and Android unit tests
Change-Id: I70c7b296e5e4b367746fcdaabbf0f12dcfb39230
[ Merge of http://go/wvgerrit/97963 ]
There are situations where an offline license file will remain on the
system after it's usage entry has been deleted. This would result in
its key set ID being reported as present by the CDM, but any
operations acting upon it will result in an error.
The app should be able to remove the license without error, so long
as the license file exists and no other OEMCrypto operations fail.
This change introduces a new error code LICENSE_USAGE_ENTRY_MISSING,
which indicates that a license's usage entry cannot be found.
A new integration test checks that the CDM can handle the calls to
removeOfflineLicense().
Bug: 137034719
Test: Android unit and integration tests
Change-Id: Ibdbe963b7f7e3ac97b446300d8e3896cdee7abc5
[ Merge of http://go/wvgerrit/97267 ]
In earlier releases, provisioning would occur based on a cached
security level. If an open session call returned a NotProvisionedException
the security level would be cached for use with any future provisioning
call.
An app would have to set the security level, then call openSession,
have it fail and then request provisioning. This fits the normal flow of
most apps. Still on occasion, an app might change requested security level
after an openSession call failed. Using the cached security level
would result in unexpected behavior.
This change allows provisioning to occur at the last security level that
was set.
Bug: 129356527
Test: wv unit/integration tests, GTS tests (GtsMediaTestCases)
Merged-In: I8d9234eec2b23a9c913e77a709943b431e25e43e
Change-Id: I8d9234eec2b23a9c913e77a709943b431e25e43e
[ Merge of http://go/wvgerrit/98694 and http://go/ag/11052323 ]
In earlier releases, provisioning would occur based on a cached
security level. If an open session call returned a NotProvisionedException
the security level would be cached for use with any future provisioning
call.
An app would have to set the security level, then call openSession,
have it fail and then request provisioning. This fits the normal flow of
most apps. Still on occasion, an app might change requested security level
after an openSession call failed. Using the cached security level
would result in unexpected behavior.
This change allows provisioning to occur at the last security level that
was set.
Bug: 129356527
Test: wv unit/integration tests, GTS tests (GtsMediaTestCases)
Change-Id: I8d9234eec2b23a9c913e77a709943b431e25e43e
[ Merge of http://go/wvgerrit/98467 ]
The issue with intermediate provisioning request failures with the
development provisioning server has been resolved in b/139206968.
This change removes the provisioning retry loop which was a workaround
for the CDM unit tests. Should the issue re-arise, it would be useful
to detect it in our unit tests.
Bug: 139361531
Test: Linux unit tests
Change-Id: Ib44c56c740efea562803d3f8f93ffd62bd95e485
(This is a merge of http://go/wvgerrit/97083.)
The switch from LoadKeys to LoadLicense broke entitlement licenses
entirely because the LoadLicense path in CryptoSession didn't include
any affordances for updating the KeySession, unlike the LoadKeys path.
This patch adds code to handle this.
Bug: 152814106
Test: CE CDM Unit Tests
Test: Android Unit Tests
Change-Id: Id0c33a566e17e6be8da04e12be4b0fc87559aa8f
In `Combine Decrypt Calls to OEMCrypto`,
OEMCrypto_ERROR_BUFFER_TOO_LARGE is used as the default error code to
signal fallback to legacy decrypt (sending subsamples separately).
The error code would not be updated if no calls to OEMCrypto were
made (e.g. 0-length buffers).
This change resets error code to OEMCrypto_SUCCESS after fall back to
legacy decrypt. Consequently, buffers that do no require OEMCrypto
calls would return OEMCrypto_SUCCESS.
Merge of http://go/wvgerrit/96743
Bug: 150188155
Test: GtsMediaTestCases
Test: DashTest#testWidevineH264AdaptiveWithRendererDisabling
Change-Id: Ib23803c51f16bc809bda5c2720e628e81f1df1dc
Merge from Widevine repo of http://go/wvgerrit/96783
This CL updates the reference code, unit tests, and adapter to use the
new v16 function OEMCrypto_LoadDRMPrivateKey. This is just an API
change to allow ECC support in the future. The reference code does not
yet support ECC certificates, and the CDM code assumes that all
certificates have an RSA key.
Bug: 152558018
Test: unit tests on taimen and w/v16 mod mock.
Change-Id: I0793b416513b81b3d74849f0b58dbdc91f075ac6
(This is a merge of http://go/wvgerrit/96226.)
This patch does a number of different things in order to re-enable the
CDM to use OpenSSL 1.1.0+ out of the box, instead of just BoringSSL:
* To support https://cryptography.io/, BoringSSL has reimplemented just
enough of the OpenSSL PKCS7 API that we can fulfill our purposes with
code that works on either library. This patch replaces code in
privacy_crypto_boringssl.cpp and oec_session_util.cpp that was only
compatible with BoringSSL with code that also works in OpenSSL.
* Replaces code in oec_session_util.cpp that used the deprecated OpenSSL
1.0.0 API with OpenSSL 1.1.0-compatible code. This code previously
worked on BoringSSL because they have not yet removed the OpenSSL
1.0.0 functions, even though they also implemented the 1.1.0 API.
* Replaces openssl/mem.h (which does not work in OpenSSL 1.1.0 and
higher) with openssl/crypto.h. (which works in all OpenSSL and
BoringSSL releases) This does not require any function code changes.
* The OID-comparison code in privacy_crypto_boringssl.cpp was using
BoringSSL-exclusive functions to convert OBJ-format OIDs to text.
Conversion functions that work on either library exist. However, the
new code uses a different technique instead, pre-converting the
passed-in OID to OBJ format. This allows it to be compared to the
certificate directly, avoiding converting every certificate extension
OID to text.
* Allows the selection of "openssl" as the privacy_crypto_impl and adds
a variable to configure OpenSSL. More will follow in future patches
as more configurations of OpenSSL are supported.
Bug: 140053043
Test: CE CDM Unit Tests
Test: CE CDM Unit Tests w/ the x86-64 Platform Reconfigured to OpenSSL
Test: Android Unit Tests
Change-Id: I57cebbbfb59e0bcab85b589b98fb9ffd18885415
[ Merge of http://go/wvgerrit/95405 ]
There are several OEMCrypto functions that do not require an open
session to be called. This change updates the OEMCrypto functions
related to the Usage Table Header.
Bug: 150888316
Test: Linux unit tests and Android build
Change-Id: Ic879876dd190fb3e058bbe8e0cce37273030b105
[ Merge of http://go/wvgerrit/95404 ]
There are three situtations where error codes from a usage table
operations were not being mapped to unique CDM response types. These
particular errors provide useful information for the CDM during table
defragging.
Also fixed misspelled error code.
Bug: 150890014
Bug: 150891685
Test: Linux unit tests and Android build
Change-Id: I683abdd5fc0871317eede960ea36cfafac7e7f49
[ Merge of http://go/wvgerrit/95508 ]
The provisioning ID length will be 32 bytes when the device supports a
keybox or OEM certificates and does not implement |OEMCrypto_GetDeviceId|.
If a device supports OEM Certificates and implements |OEMCrypto_GetDeviceId|
it may be an arbitrary length upto 64 bytes.
Bug: 150393659
Test: WV unit/integration tests
Change-Id: I5e4dbc8f2f9ca326425d0313f4823b72bd6ac7c0
Merge from Widevine repo of http://go/wvgerrit/95087
The ODK library is used in OEMCrypto, and in test code, but it is not
needed in the CDM layer. As such, it can be removed from the
Android.mk for cdm libraries.
Bug: 150809634
Test: unit tests
Change-Id: If29458e7d3d940f9a383d77e5082e7388e19c32f
(This is a merge of http://go/wvgerrit/95003.)
To reduce the number of OEMCrypto calls on the decrypt path, the maximum
subsample size will now be cached after the first call to retrieve it.
Bug: 150018606
Test: Android Unit Tests
Test: CE CDM Unit Tests
Test: ExoPlayer high-bitrate playback on OEC v15
Change-Id: I0b5d38d8a082c0a127d2a47f112b76c64085bddb
(This is a merge of http://go/wvgerrit/94928.)
In OEMCrypto v16, we dropped support for 'cens' and 'cbc1'. However, we
did not redefine the pattern (0,0) to be a valid pattern for 'cbcs', even
though it was no longer being used to signal 'cbc1'. Instead, we made
the CDM reject CTR with a pattern ('cens') and CBC with a (0,0) pattern
('cbc1') to mirror the behavior of OEMCrypto v16.
However, some apps have been using 'cbc1' mode to decrypt audio in
'cbcs' content. This is normally not possible but is possible for a
subset of content. Furthermore, it is easy to do by accident because of
the way most packagers package 'cbcs' audio and the special significance
Widevine has historically given the (0,0) pattern.
This patch updates the CDM to not reject CBC with a (0,0) pattern but
instead treat it as 'cbcs' content. To decrypt it correctly, the pattern
is treated specially inside the CDM core and converted to the
recommended equivalent pattern — (10,0) — before passing the content to
OEMCrypto.
For more specifics, please see the design doc: http://go/vclfg
Bug: 150219982
Test: ExoPlayer Demo App 'cbcs' Content
Test: GTS 'cbcs' Content
Change-Id: I334ff15db5f7b7d62040a036ba6d17515c3caee4
[ Merge of http://go/wvgerrit/94483 ]
With OEMCrypto V16 comes a new potential error code from calls to
DecryptCENC(). WARNING_MIXED_OUTPUT_PROTECTION may be returned by
supporting devices if one of the output devices does not meet the
required HDCP level for the decryption key/license; however the output
is instead restricted (by OEMCrypto) to devices that are secure. This
warning is informative to the CDM; but no action can/should be taken
by the CDM.
In addition, if DecryptCENC() returns an error/warning, it is likely
that the same status code will be returned on subsequent calls to
decrypt within the same crypto session. To reduce the number of logs
the CDM produces within the same crypto session only changes in error
codes are logged.
Bug: 140825538
Change-Id: Iaf9da3f0c88889525f73f3153a5977c8416286bb
(cherry picked from commit d9c703ef9e)
Merged-In: Iaf9da3f0c88889525f73f3153a5977c8416286bb
Merge from Widevine repo of http://go/wvgerrit/94523
For OEMCrypto v16, a renewal does not get a new nonce.
Bug: 149856581
Test: WvCdmRequestLicenseTest.StreamingLicenseRenewal
Change-Id: I258f0bcb9c9a417310785f130d32d66fa7430185
Merge from Widevine repo of http://go/wvgerrit/94505
Some tests use an EXPECT when checking an array size or to verify a
pointer is not null. Then they access the pointer or array. When they
use an EXPECT, this access results in a segfault.
I also removed a compiler warning about unused parameters.
Bug: 149856581
Test: request_license_test (now lists failed tests)
Change-Id: I08ac11250921245c89ed5c0c43cc5f4321e0a9cc
Merge from Widevine repo of http://go/wvgerrit/94243
When generating a second provisioning request, a new session should be
opened because a session can only have one nonce for v16.
For Provisioning 3.0 devices, the OEM Cert's private key must be
loaded in the new session.
Test: WvCdmRequestLicenseTest.ProvisioningInterposedRetryTest
Bug: 135288420 Nonce reuse
Bug: 141655126 Cert reload
Change-Id: I8a96566142c4d4380e2bdd571e8d363a7a1f74d4
(This is a merge of http://go/wvgerrit/93829,
http://go/wvgerrit/93830, http://go/wvgerrit/93832,
http://go/wvgerrit/93833, and http://go/wvgerrit/93834 from the
Widevine repo.)
This implements the CDM code changes necessary to take advantage of
Combined Decrypt Calls on OEMCrypto v16. The result of this is that
WVCryptoPlugin is much lighter now because it can pass the full sample
down to the core in one call, but CryptoSession is heavier, as it now
has to handle more complex fallback logic when devices can't handle
multiple subsamples at once.
This patch also removes support for the 'cens' and 'cbc1' schema, which
are being dropped in OEMCrypto v16. This fixes an overflow in the code
for handling those schemas by removing it entirely.
This patch also fixes the "in chunks" legacy decrypt path to use larger
chunk sizes on devices with higher resource rating tiers.
Bug: 135285640
Bug: 123435824
Bug: 138584971
Bug: 139257871
Bug: 78289910
Bug: 149361893
Test: no new CE CDM Unit Test failures
Test: Google Play plays
Test: Netflix plays
Test: no new GTS failures
Change-Id: Ic4952c9fa3bc7fd5ed08698e88254380a7a18514
