[ Merge of http://go/wvgerrit/167897 ]
The function OEMCrypto_GetBootCertificateChain() does not always
provide an additional signature depending on the device. However, the
CDM would still attempt to dereference the first character in the
additional signature buffer when empty. This CL changes how the data
pointer to an output string is acquired. Empty string will instead
pass in a null pointer.
Bug: 272643393
Test: run_prov40_tests
Test: atest GtsMediaTestCases
Change-Id: I10b0a3c7df4fc73272aa701bb01c60672645d4fc
----------------------------------------------------------------------
Fix oemcrypto_generic_verify_fuzz mutator signature offset
[ Merge of http://go/wvgerrit/165899 ]
Merged from https://widevine-internal-review.googlesource.com/165598
Change-Id: I85574fcd62622d2954c306688e04ecfda333c0cb
----------------------------------------------------------------------
Fix regressions in oemcrypto_decrypt_cenc_fuzz
[ Merge of http://go/wvgerrit/162151 ]
Fix null-dereference of subsamples vector and potential memory leak due
to parsing errors.
Bug: 260005865
Bug: 260013015
Merged from https://widevine-internal-review.googlesource.com/162081
Change-Id: I91bf1baa726803b2a0073ff3db94e69719d377bb
----------------------------------------------------------------------
Add custom mutator to oemcrypto_generic_verify_fuzz
[ Merge of http://go/wvgerrit/161578 ]
Enable fuzzing mutations beyond changing the signature length.
Merged from https://widevine-internal-review.googlesource.com/159917
Change-Id: I022d752107b788bd45aafb8325e3186ef90336de
----------------------------------------------------------------------
Refactor oemcrypto_decrypt_cenc_fuzz
[ Merge of http://go/wvgerrit/161546 ]
Refactor to minimize the required corpus length, fuzz the sample input
data, and avoid undefined behavior related to filling
OEMCrypto_DestBufferDesc::buffer with fuzzed data.
Merged from https://widevine-internal-review.googlesource.com/159618
Change-Id: Id9af8b1704d4619ba88ab8de3adb35d5f8bb69f6
----------------------------------------------------------------------
Refactor oemcrypto_copy_buffer_fuzz
[ Merge of http://go/wvgerrit/161307 ]
Refactor to minimize the required corpus length, fuzz the output buffer
length, and avoid undefined behavior related to filling
OEMCrypto_DestBufferDesc::buffer with fuzzed data.
Merged from https://widevine-internal-review.googlesource.com/159617
Change-Id: Ieddc6260e5eca641f8409a9b361ca4e5a40d6f52
----------------------------------------------------------------------
Improve AddressSanitizer coverage for LoadEntitledContentKeys fuzzing
[ Merge of http://go/wvgerrit/161397 ]
Split fuzzed message into separate buffer so AddressSanitizer can detect
out-of-bounds accesses.
Merged from https://widevine-internal-review.googlesource.com/161277
----------------------------------------------------------------------
Avoid copying fuzzed data when separator splitting
[ Merge of http://go/wvgerrit/161120 ]
Merged from https://widevine-internal-review.googlesource.com/159497
Change-Id: I2b13ff34eee74c8aea9a8176aa711e3e2bc57add
----------------------------------------------------------------------
Fix oemcrypto_opk_dispatcher_fuzz
[ Merge of http://go/wvgerrit/161119 ]
Set ODK_Message size and add timestamp field to initialization requests.
Merged from https://widevine-internal-review.googlesource.com/159897
Change-Id: Ide51d1cb4119a396212d1802411cfa19f5792e9d
----------------------------------------------------------------------
Cover empty buffers in fuzz tests
[ Merge of http://go/wvgerrit/161018 ]
Update tests that avoid passing empty buffers to OEMCrypto API methods.
Merged from https://widevine-internal-review.googlesource.com/159317
Change-Id: If0d8007e3294820654b081fe813a09485e757f1c
----------------------------------------------------------------------
Fix cherry pick of "Improve buffer size distribution in fuzz tests"
[ Merge of http://go/wvgerrit/161022 ]
Change-Id: I8b0440fe13b513396b5779c25e6a46ac40eaa183
----------------------------------------------------------------------
Improve buffer size distribution in fuzz tests
[ Merge of http://go/wvgerrit/160957 ]
When a buffer size is fuzzed, use the modulo operation, instead of
std::min, to create an even distribution.
Merged from https://widevine-internal-review.googlesource.com/159157
Change-Id: I3c1168c7a7d739793005927a97af18de5df2e4c6
----------------------------------------------------------------------
Improve AddressSanitizer coverage in fuzz tests
[ Merge of http://go/wvgerrit/160464 ]
Split fuzzed data into separate buffers so AddressSanitizer can detect
all out-of-bounds accesses.
Merged from https://widevine-internal-review.googlesource.com/158977
Change-Id: I7ca67409b7c6f96548e21ab41f6caf99f738605d
[ Merge of go/wvgerrit/c/cdm/+/165138 ]
Enabled the Widevine DRM service on Android to return the raw boot
certificate chain via the CDM status query capabilities. This
property key is not available for app-level queries.
The BCC is dumped by the WVDrmFactory when requested to print all
CDM properties via dumpsys.
Bug: 234095402
Test: request_license_test
Test: adb shell dumpsys android.hardware.drm.IDrmFactory/widevine -p
Change-Id: I34695b0655b4c609979577e9986974bc0fbda898
Includes following fixes:
* http://ag/19196496 Fix the length of the extracted BCC
* http://ag/21097263 Add "version" to device info in prov4 upload tool
Bug: 231677822
Test: adb shell wv_factory_extraction_tool csr
Change-Id: I9f21514b027261f1d69c24a4d2f54051ccaac9a5
AIBinder_setRequestingSid must be called first upon creation of a
binder object before AIBinder_getCallingSid is called. Call
AIBinder_setRequestingSid in the createBinder override function
for WVDrmFactory, WVDrmPlugin and WVCryptoPlugin classes.
Test: Play TV streaming
Test: adb shell dumpsys android.hardware.drm.IDrmFactory/widevine -a
Bug: 237613676
Change-Id: I9dde4715ba2003deb463bd75b23e1ebc2f22a764
(cherry picked from commit 6797b8eb8a)
Merge of https://widevine-internal-review.googlesource.com/c/cdm/+/165220
Original commit message:
Update Android L3 v17 with new system ID after key free fix
Android Arm L3 v17 Provisioning 3.0 2023 28923
Android Aarch64 L3 v17 Provisioning 3.0 2023 28924
Android X86 L3 v17 Provisioning 3.0 2023 28925
Android X86 64 L3 v17 Provisioning 3.0 2023 28926
Test: L3 unit tests
Test: integration tests on Pixel4
Test: GTS media tests on Pixel4
Bug: 252434586
Change-Id: I8ebc19260b37615efd77a533bd005f2b9485182a
Merge of https://widevine-internal-review.googlesource.com/c/cdm/+/165220
Original commit message:
Update Android L3 v17 with new system ID after key free fix
Android Arm L3 v17 Provisioning 3.0 2023 28923
Android Aarch64 L3 v17 Provisioning 3.0 2023 28924
Android X86 L3 v17 Provisioning 3.0 2023 28925
Android X86 64 L3 v17 Provisioning 3.0 2023 28926
Test: L3 unit tests
Test: integration tests on Pixel4
Test: GTS media tests on Pixel4
Bug: 252434586
Change-Id: I68d36bf57266c4d3245962e22b8dff92f2667948
Merge of https://widevine-internal-review.googlesource.com/c/cdm/+/164981
Original commit message:
Fix key double free issue in L3
Cherry-pick the fix from:
https://widevine-internal-review.googlesource.com/c/cdm/+/164885/https://widevine-internal-review.googlesource.com/c/cdm/+/164958/
Then generated L3 on top of tm-widevine-release code base.
Original commit message:
During license loading if an error occurs, all the loaded keys will be
freed. Later at session termination, the previously freed keys get freed
again, which screwed up the key table.
This CL prevents the double free by checking if the key index is already
freed, and updates the freed index to be kKeyDataArrayCount.
Also a side fix to correctly zero-out the intialized memory and adding a
few debug outs.
Test: ran L3 unit tests
Test: verified GTS tests on arm32 device
Bug: 252434586
Change-Id: I8058c10daae3d1007733eb6ac54101545d3ce029
[ Merge of http://go/wvgerrit/161877 and http://go/ag/20523252 ]
This change introduces some logging to shed some light on
why some L1 devices fallback to L3.
* Additional logging has been added to indicate whether a lookup of
the symbols for OEMCrypto_Initialize, OEMCrypto_APIVersion
or OEMCrypto_Terminate failed.
* OEMCrypto_Initialize error code is saved and reported later.
Bug: 245887116
Test: GtsMediaTestCases
Change-Id: Ice4d966d2fee458de2fae28a1355f292f879c38b
Merge from Widevine repo of http://go/wvgerrit/160720
For DRM, but not for CAS, we allow the entitlement session
and the entitled session to be the same.
Bug: 253471127
Bug: 246566056
Bug: 245018059
Bug: 242815450
Test: oemcrypto unit tests on oriole (all but CAS tests pass)
Test: GTS
Change-Id: Ib830484be8437b1c4ce34500ae912e6c119dcfc3
Merge from Widevine repo of http://go/wvgerrit/160719
We do not require that a session id be nonzero. This CL
removes test asserts that a session id is not zero.
Bug: 242815450
Test: tested with http://go/ag/20420224
Change-Id: Ia0f25bca737503e1ad3ac4336714312cacea28f8
Merge from Widevine repo of http://go/wvgerrit/154874
We do not require an error to come from SelectKey immediately, it can
come from a following call to DecryptCENC. This adds a function
Session::TestDecryptCENC to be called instead of SelectKey for the tests
that use entitled sessions.
Bug: 232225906
Test: tested with http://go/ag/20420224
Change-Id: If5695a5034cce371b6eb6bcf1b6467d84456c21d
Merge from Widevine repo of http://go/wvgerrit/159057
Increase fuzzing efficiency by generating the header_buffer_length
parameter from the input data and pre-creating a usage table header.
Test: tested with http://go/ag/20420224
Change-Id: Idab4c3d0ae879854202e5ffd24bf031b946aeb6a
Merge from Widevine repo of http://go/wvgerrit/159077
ProvisioningRoundTrip::InjectFuzzedResponseData and
LicenseRoundTrip::InjectFuzzedResponseData were unsafe as they ignored
their size parameter.
Test: tested with http://go/ag/20420224
Change-Id: I9b5647a283d98bc960caa458b1adf433a3f0ae17
Merge from Widevine repo of http://go/wvgerrit/154651
Some substring out of range tests uses non-zero offset but
with zero length. This zero length later will be ignored by
v15 oemcrypto, so the tests actually didn't test
anything. These tests are failing on v15 oemcrypto because
the test expect an out of range error but it actually
succeeded since nothing was tested.
Assign the offset to be out of range and then also assign
length to be not zero.
Test: run_fake_l1_tests; run_level3_static_tests;
Bug: 229299394
Test: tested with http://go/ag/20420224
Change-Id: Ic50b6323312e0ecb253dbeb925d9291db6eec075
Merge from Widevine repo of http://go/wvgerrit/158203
Prevent abort, interpreted as a crash by libFuzzer, when
OEMCrypto_CreateUsageTableHeader fails session state checks due to being
called after OEMCrypto_GenerateNonce.
Bug: 251215411
Test: tested with http://go/ag/20420224
Change-Id: I71ad1186ff2cb9ced81f9950d2fa235878aeb54d
Merge from Widevine repo of http://go/wvgerrit/158204
Prevent abort, interpreted as a crash by libFuzzer, when
OEMCrypto_CreateUsageTableHeader fails session state checks due to being
called after OEMCrypto_GenerateNonce.
Bug: 250682470
Test: tested with http://go/ag/20420224
Change-Id: Ia15b8c26fb391a190c32115e398a78ff9f8a7e16
Merge from Widevine repo of http://go/wvgerrit/158077
I ran the script ./oemcrypto/lock-api-for-release
Bug: 235858362
Test: tested with http://go/ag/20420224
Change-Id: I59b808898cdec60bffe36059f75ac413b0f55356
Merge from Widevine repo of http://go/wvgerrit/157923
This adds a C file to be built by Luci to verify that nobody
has made a change to OEMCryptoCENC.h that changes the
signature of any _oecc function. See the new comment in the
header for an explanation why we don't want to chage the
function signature of an oecc function.
We also update the OEMCrypto release script to verify that
all of the functions have been locked. There is a script to
update the lock file that should be run before each release.
Bug: 235858362
Test: tested with http://go/ag/20420224
Change-Id: Id890054e82cf8cc4c75e83c8347a776bda2d8a3b
Merge from Widevine repo of http://go/wvgerrit/157777
(partially merged in http://go/ag/20031768)
In CreateCoreLicenseResponse(), there seems to be an out of bounds
potential error due to a missing check that the index used for
license_response.parsed_license->key_array is valid. Adding a check
for this here.
Bug: 217677571
Test: tested with http://go/ag/20420224
PiperOrigin-RevId: 452114761
Change-Id: Id35ec48bebb564596b8e67c737bc13be9377891b
[ Merge of http://go/wvgerrit/156997 ]
Several of the Android integration tests perform direct URL comparisons
between fixed URLs and the server URL returned by the CDM. With
provisioning 4.0, the CDM will append additional query parameters to
the server URL. This updated URL still contains all of the original
expected information, but with additional parameters. So long as the
URL contains the required fields, any additional parameter should be
considered valid.
The gtest framework used by the integration tests allow for the
creation of custom "matchers", rules that can be used to validate data
and create informative failure logs. The CL creates a new matcher for
checking that a tested URL is a superset of content of the expected
URL.
Bug: 244319313
Test: request_license_test on prov 4 device
Change-Id: Ie721058fa628b3a4a74dc56f4172a3dfcb1f1ef3
[ Merge of http://go/wvgerrit/154575 ]
[ Cherry-pick of http://go/wvgerrit/19216679 ]
There is a rare race condition experienced by some Android devices
where the a new client property set is being added while another is
being removed. The C++ stl library does not provided thread
protection by default.
This CL adds a new mutex for the client property set map which prevents
multiple threads accessing the property sets concurrently.
Bug: 235238226
Test: GtsMediaTestCases on redfin
Change-Id: I32cf11bfb1332295ba1245071102ff0adc35259d
(cherry picked from commit aaa97a5d60)
This is to bring cdm tm-widevine-release in sync with Android
tm-widevine-release.
Originating CL: https://widevine-internal-review.googlesource.com/c/cdm/+/154509
The only difference is in the test name.
Test: run diff against CDM tm-widevine-release
Bug: 239059097
Change-Id: I1279bf780c8faef393b32d73a163756a016d80fc
This is a merge from:
https://widevine-internal-review.googlesource.com/c/cdm/+/152897
and http://go/wvgerrit/153709
Adding a new OEMCrypto unit test will allow partners to correct a
problem earlier in their integration.
Verifies current oemcrypto implementation handles clear KCB in a
mocked 16.4 license response.
Unit test release date updated to 2022-06-17.
Test: run_x86_64_tests; opk_ta
Bug: 235870170
Bug: 234645065
Change-Id: I59fef2c25f5c007624447d4f46147d96adeddad9
[ Merge of http://go/wvgerrit/152674 ]
This allows an app to query the provisioning model. Possible
values are { "DrmCertificate", "Keybox", "OEMCertificate",
"BootCertificateChain" }
An app can use these to disntinguish between provisioning models.
Provisioning 4.0 (boot certificate chain) requires a double provisioning
step.
Bug: 234057551
Test: WV unit/integration tests, libwvdrmdrmplugin_hal_test
Change-Id: I1611488ec632a0e5a9e1d106b7475e8f5a2a5a13
This is a merge from:
https://widevine-internal-review.googlesource.com/c/cdm/+/152372
The L3 source change which produced these libraries is:
https://widevine-internal-review.googlesource.com/c/cdm/+/152371/
Original commit message:
To address the bug with certain 16.4.x SDK versions returning a
clear key control block (KCB) for clients newer than 16.5, the
exact version check to determine whether key control blocks are
clear or not has been loosened.
Original behavior:
- ODK version >= 16.5.x --> Assume clear
- ODK version <= 16.4.x --> Assume encrypted
New behavior:
- No KCB IV --> Assume clear
- Otherwise --> Assume encrypted
This CL also includes a change to oemcrypto/include/OEMCryptoCENC.h
The changes to OEMCryptoCENC.h in the CL are comments or variable name
change. So it should be safe.
This change was merged to wv tm-dev here:
https://widevine-internal-review.googlesource.com/c/cdm/+/148411
So, adding it to Android tm-dev.
Test: run_level3_static_tests, CdmDecryptTest/CdmTestWithDecryptParam.* against LS SDK 16.4.2 & 17.0
Bug: 232557453
Change-Id: I2bbb5ab3ea33a16bd6c198077e5aefe960737ea0
[ Merge of http://go/wvgerrit/151391 ]
This CL moves the logic for extracting the system ID from keybox or
OEM certificate (from OEMCrypto or device files) to a dedicated
SystemIdExtractor.
Before Provisioning 4.0, the system ID could only be found from data
returned by OEMCrypto. However, with provisioning 4.0, the system ID
can now be found in the OEM certificate that is stored on the device
files.
Bug: 232020319
Test: system_id_extractor_unittest
Test: Forest L37800000954493485
Change-Id: Ie1b7987906e2e4fef015cd659a947b6dbb7594b1
