Replace libcrypto with libcrypto_static, which can be protected through
visibility to ensure only modules that don't affect FIPS certification
can use it.
Bug: 141248879
Test: m checkbuild
Change-Id: I53757b813fe2984261a3bde963cac1886523dfdf
[ Merge of http://go/wvgerrit/85153 ]
Issues addressed in this CL:
1) Linkage warnings in g++
2) Inconsistent `override` with clang++
3) Test variable names
Some of our tests use types defined in test-local anonymous namespace. For
our tests setup, this does not cause any linkage issues; however, g++ produces
warnings about it.
The options were to suppress it with `-Wno-subobject-linkage`, or to change
the tests to avoid even the potential of a linkage error.
There were additional warnings showing up about the use of `override` on
derived mock classes. The solution was simply to remove the `override`
qualifier on `MockFile`'s destructor.
Some of the test data variables were using snake_case, here I switched it to
kConstantCamelCase.
Bug: 139808919
Test: Compiling with gcc, Linux unittests and Android unittests
Change-Id: Ic3f82a6db7fad990ffe49186914084b039ec8a14
Switch Widevine service to link dynamic libcrypto.so.
Merge from http://go/wvgerrit/86323
Test: Play Movies & TV, Netflix, ExoPlayer, GTS
bug: 141082724
Change-Id: I16a7de4dab69bf3b4b550bb2ee202f4600682837
This change renames the IMemory raw pointer accessors to
unsecure*() to make it apparent to coders and code reviewers
that the returned buffer may potentially be shared with
untrusted processes, who may, after the fact, attempt to
read and/or modify the contents. This may lead to hard to
find security bugs and hopefully the rename makes it harder
to forget.
The change also attempts to fix all the callsites to make
everything build correctly, but in the processes, wherever the
callsite code was not obviously secure, I added a TODO requesting
the owners to either document why it's secure or to change the
code. Apologies in advance to the owners if there are some false
positives here - I don't have enough context to reason about all
the different callsites.
Test: Completely syntactic change. Made sure code still builds.
Change-Id: I13466e045f587e612ad80e518fee27f4da0bde5e
Bug: 138709931
Test: 1) Keep the widevine splitbins ONLY at /vendor/firmware_mnt/image
2) L1 secure video playback
Change-Id: Icbb749a0ac379015ed48c4bf32f7647d7fbe5b96
[ Merge of http://go/wvgerrit/84490 ]
The unit tests will now make at most 10 attempts to provision
themselves before declaring failure.
This change is made to help with flaky provisioning requests that
have been experienced on the Jenkins build server.
Bug: 139298083
Test: Linux unit test, Jenkins build and Android unit tests
Change-Id: I6415a5ef9fdf10ceb893867d5fc73131338e9f76
(This is a merge of http://go/wvgerrit/84510)
When the CE CDM 3.5 behavior around service certificates was originally
implemented, it allowed sessions to be created if a service certificate
had not yet been installed, in keeping with the EME spec. However, the
service certificate in use at session creation time was cached, and so
there was a bug where any sessions open before a service certificate was
installed would never be updated with any future service certificates.
The code also caused problems for Android. When it was merged to master,
it was fixed to simply not allow session creation on CE CDM without a
service certificate. However, this created an impedance mismatch between
the CE CDM and EME that has caused pain for Shaka Player Embedded,
Chrome, Chromecast, Fuchsia, and likely every partner that is trying to
implement a fully-compliant EME stack on top of CE CDM.
Removing the code that blocks session creation without a service
certificate is easy. Fixing the bug that motivated it is not. Removing
the caching is not possible because Android needs it for certain
behavior on its end. So instead, the CE CDM will have to iterate over
all open sessions and update their service certificates if the installed
service certificate changes.
Test: CE CDM Unit Tests
Test: Android Unit Tests
Bug: 111766009
Change-Id: I1bd70553e2209b823a6acdc221c0497a5f3181b2
[ Merge of http://go/wvgerrit/84989 ]
FileUtils::Remove() when used with wildcards would ignore a prefix specified
before the asterisk and delete all files with the same extension.
Fix proposed by broadcom.
Bug: 120039689
Test: WV unit/integration tests
Change-Id: Iddc6c6b1983c41b501b21f34626f56c0b74af6c8
[ Merge of http://go/wvgerrit/85503 ]
Replacing a few instances of C's NULL with C++'s nullptr in some of the
smaller sub-directories in the CDM.
Note that clang-format has performed additional changes to some of the
test files that have not yet been formatted.
Bug: 120602075
Test: Android unittest
Change-Id: I926135ed4b85e9d2d58a014b4a62098b0cb7a373
[ Merge of http://go/wvgerrit/84990 ]
Storing and retrieving licenses from device files had required 15
parameters to the DeviceFiles methods. Now, licenses information is
bundled together in a single struct `CdmLicenseData`, similar to
`CdmUsageData`.
Bug: 137882164
Test: Linux and Android unittest
Change-Id: I149b39573800e7c66681343b252b41341a8902f7
[ Merge of http://go/wvgerrit/85408 ]
Replacing a few instances of C's NULL with C++'s nullptr in some of the
smaller sub-directories in the CDM.
Bug: 120602075
Test: Linux and Android unittests
Change-Id: I62bb548051434b4b974d89a6d57a9a17a0d66bd2
[ Merge of http://go/wvgerrit/84607 ]
[ Merge of http://go/wvgerrit/84608 ]
The primary goal is to replace the use of `rand()` with the random
number generators provided with the C++11 standard.
This simplified generator wraps some of the technical aspects of the
<random> library and provides an interface for uniformly distributed
integers.
As part of the `rand()` purge in the CDM, all uses of the C random int
function in `core()` have been removed. Places that previously used
`rand()` now use `CdmRandom` facilities.
Test: Linux unittest and Android unittest
Bug: 130680365
Change-Id: Ica383870536ed462dbb80e630c2d66845e38b937
[ Merge of http://go/wvgerrit/84647 ]
[ Merge of http://go/wvgerrit/84648 ]
Replacing most instances of C's NULL with C++'s nullptr. Also changed
how a NULL check is performed on smart pointers. They provided an
implicit boolean operator for null checks, meaning the underlying
pointer does not need to be compared directly (as it was in some places
before).
Note that clang-format has performed additional changes to some of the
test files that have not yet been formatted.
Bug: 120602075
Test: Linux and Android unittests
Change-Id: I06ddebe34b0ea6dfecedb5527e7e808e32f5269a
[ Merge of http://go/wvgerrit/83423 ]
[ Merge of http://go/wvgerrit/83424 ]
[ Merge of http://go/wvgerrit/83425 ]
[ Merge of http://go/wvgerrit/83426 ]
[ Merge of http://go/wvgerrit/83427 ]
Types of cleanup:
- Removed function / class prefixes from the logs.
- Fixed log string format options to match the types passed
- Corrected small spelling mistakes / typos
- _Tried_ to make the log format more consistent
- Added static_cast<int> conversion on enumerations when logged
- Changed several LOGE to LOGW and vice versa
- Used LOGE if the triggering condition stops the method/function
from completing its task
- Used LOGW if the triggering condition changes the expected
outcome but does not stop the rest of the method/function's
task
- Changed several instances of `NULL` to `nullptr`
- Ran clang-format on files after cleanup
This is part of a larger code quality effort in Widevine DRM.
Test: WV linux unittests and WV Android unit tests
Bug: 134460638
Bug: 134365840
Bug: 136123217
Change-Id: I958ec70ef99eef95c38dbebd7a1acd62ef304145
[ Merge of http://go/wvgerrit/83804 ]
There is a private helper method in `UsageTableHeader` which is used by
other methods to shrink the table by removing a specified number of
entries.
Prior to this change, if `Shrink` was called to remove more entries
than there are, it would: 1) do nothing and 2) return `NO_ERROR`.
Obviously, at least one of those action should change.
Instead of doing nothing, it will simply remove all the entries from
the table and return `NO_ERROR`. A warning will be logged that it was
requested to shrink by more entries than there are.
Four (4) new tests have been created to ensure that `Shrink()` works as
expected.
Test: Linux unit tests
Bug: 138242127
Change-Id: Idedd922bd883d7ae1b84ce8ec1255fdce00c0948
[ Merge of http://go/wvgerrit/83629 ]
In a previous change, the `VersionNumberChangeCanary` test started
to fail when Android changed their version number from "10" to "R".
I forgot to also change the Widevine CMD version string from "15.0.0"
to "16.0.0".
Test: Run `request_license_test` on Android
Bug: 137784842
Change-Id: I157aa6ac518423911e806b1278d723a86579c8cd
[ Merge of http://go/wvgerrit/83184 ]
On master branch, `request_license_test` should be expecting the latest
android release version (now "R").
Test: Run `request_license_test` on Android R
Bug: 137784842
Change-Id: I09add2c2752b5af09bd2f27bd9f4ce7bc6fc07eb
[ Merge of http://go/wvgerrit/82232 ]
The new function `ArraySize` will only work for compile-time fixed-length
arrays, and will provide compiler errors if the provided argument is not an
array.
This will replace the commonly used macro `N_ELEM()` which uses `sizeof()`.
Test: Linux unittest
Bug: 137041745
Change-Id: I0f5c268197a8062a99ccba43c73349e97f66eb02
Merge from Widevine repo of http://go/wvgerrit/79463 and
http://go/wvgerrit/82383
Several tests explicitly set the log level. This CL unifies that a
little bit. When running the unit tests by hand, on android or for ce
cdm, the log level is 0 (ERROR) and can be incremented on the command
line using the "--verbose" switch.
When running on the desktop, you can set the environment variable
VERBOSE_LOG to "yes", and the log level is set to VERBOSE. This is
done by the buildbot so you can see full logs in the build archive.
When running with the test bed (i.e. Mod Mock) you can edit the
options.txt file and set log_level to 0=ERROR up to 4=VERBOSE. if you
are using the run_current_tests script, you can create a file in the
linux directory called override_options.txt and add the line
log_level 4
This CL only changes test code.
bug: 124390006
Test: unit tests
Change-Id: I1e042004692750e218b8c4220bce3ec1e387004e
[ Merge of http://go/wvgerrit/81743 and http://go/ag/7747989 ]
This fixes some failures in tests. A platform property has been added
which controls whether an offline license can be restored if a release
request has been previously made. This behaviour was introduced by
CE CDM in b/113167010 but is not permitted for android.
The tests failures addressed are
* ProvisioningTestWithServiceCertificate
* ReleaseRetryOfflineKeyTest
* ReleaseRetryL3OfflineKeyTest
* ReleaseRetryL3OfflineKeySessionUsageDisable
Bug: 119428680
Bug: 133684744
Test: WV unit/integration tests
Change-Id: I5beacecea32f26c8a319a6d73a45cc36f04d8aa1
[ Merge of http://go/wvgerrit/80944 ]
Ran `git clang-format` on files in utils/src.
Used the new .clang-format config.
Bug: 134365840
Test: WV unit tests
Change-Id: Idbba01ec65fc019327fc59dc1d95d7cefa4a5aa7
[ Merge of http://go/wvgerrit/80943 ]
Ran `git clang-format` on files in utils/include.
Used the new .clang-format config.
Bug: 134365840
Test: WV unit tests
Change-Id: Ifc0950236ecd610792e9add11ac07c63485f3f0c
(This is a merge of http://go/wvgerrit/81628. Although it is primarily
to support a CE CDM feature, this patch touched shared code and so must
be merged.)
The problem that has long stopped the OEMCrypto Testbed from working
with the CE CDM build is that the OEMCrypto Testbed sometimes accesses
the storage via the normal filesystem APIs rather than the FileSystem
abstraction. Furthermore, when doing this, it assumes that FileSystem
abstraction is just a wrapper around direct filesystem access and thus
it should use the same paths in both kinds of filesystem access.
However, this is not true on the CE CDM where FileSystem wraps an opaque
key/value store.
This patch adds a property that allows a platform to indicate if its
FileSystem base path represents a real file system path and sets it
appropriately. ("true" for all platforms except CE CDM) It also adds
code to the OEMCrypto Testbed that makes use of this property to modify
its behavior. When running on a device where the FileSystem base path is
not a real file system path, it will instead use the directory of the
current executable as its base path when accessing the filesystem
directly.
Bug: 129311942
Test: CE CDM Build with Fake L1
Test: Android Build
Change-Id: Iadb3cc57d3bbc8ce0d49224b7df31c46bd5ea56c
Merge from Widevine repo of http://go/wvgerrit/81265
Types of cleanup:
- Removed function / class prefixes from the logs.
- Fixed log string format options to match the types passed
- Added static_cast conversion on enumerations
- _Tried_ to make the log format more consistent (open to feedback)
- Corrected small spelling mistakes
This set of changes is very large, splitting change across several
submissions. This change:
- core/src/buffer_reader.cpp
- core/src/cdm_engine.cpp
- core/src/cdm_session.cpp
Test: WV linux unittests
Bug: 134460638
Change-Id: I16c3297b8e94a99c2b8650b129d0f9e8d96b177f
Merge from Widevine repo of http://go/wvgerrit/79243
Modify failures for LoadKeyWithSuspiciousIV and SelectKeyNotThereAPI15
This turns on some unit tests that were disabled for Q release.
Merge from Widevine repo of http://go/wvgerrit/77948
Mod Mock: Dump entitlement keys - this allows some logging when
running in a test environment.
Merge from Widevine repo of http://go/wvgerrit/75763
Refactor OEMCrypto Decrypt Tests
This CL refactors the oemcyrpto decryption tests. A bunch of boiler
plate code was moved to a common test setup. Also, buffer handling
was streamlined so that it will be easier to use these test with
secure output buffers.
Bug: 131281966
Bug: 129432708
Test: unit tests
Change-Id: Iebf62611a16e0a4def9c4daed1c6cdf12686ba74
[ Merge of http://go/wvgerrit/79884 ]
WvCdmDecryptionModule needs to be refcounted since it inherits
from RefBase. The test code instantiates it as a member variable.
Bug: 133188706
Test: WV unit/integration tests
Change-Id: I8ae3d92ae148677ea9a8290a6c0553c1a43e3454
[ Merge of http://go/wvgerrit/80805 ]
This change was used only where `typedef` was used for type aliasing,
and not for defining a new type (such as enums, structs, or function
pointer types).
Clang-format was used on the changed files.
Test: WV unit tests
Bug: 134437705
Change-Id: I730b9709a5ac773b3036daa79024caab665b3daa
Bug: b/133641240
Tests: ProvisioningInterspersedRetryTest L3 & modmock
Merge of http://go/wvgerrit/80164
The ProvisioningInterspersedRetryTest tests that the response tied to
the provisioning request before the latest fails to be handled. This is
only true for provisioning 2.0 where we use derived keys. In
provisioning 3.0, the number of requests allowed to be handled is tied
to the number of nonces, which from OEMCrypto v15.2 onwards, is exactly
4. This CL modifies the test to handle that behavior.
Change-Id: I9f4e555acab145487d6e409779afe7b9b63fd4af
Bug: b/133855570
Tests: Android tests/CE CDM tests/Linux tests
Merge of http://go/wvgerrit/80163
Adds a query option to QueryStatus to get the provisioning model of the
OEMCrypto.
Change-Id: I1896984be6294a5ada9a97b63e6d9080297e92b0
[ Merge of http://go/wvgerrit/80484 ]
Clang-format has been run on files in core/src. clang-format has been turned
off for some blocks but otherwise no other changes have been made.
Bug: 134365840
Test: WV unit/integration tests
Change-Id: I6e509f25136f84d37de3d920084302f0f2c23dc4
[ Merge of http://go/wvgerrit/80483 ]
Clang-format has been run on files in core/include
Bug: 134365840
Test: WV unit/integration tests
Change-Id: I890127f23f30f0e63f826d3638521b4cc12fb995
