Merge from Widevine repo of http://go/wvgerrit/56523
In OEMCrypto v14, SelectKey can also return KEY_NOT_LOADED if the key
id is not found. This was added to help with entitlement licenses.
However, SelectKey in crypto session converts this to an unknown
error.
In this CL we change that to a NO_CONTENT_KEY_3 error. This is
probably only important because the generic crypto tests expect
NO_CONTENT_KEY_3 when we try to use an undefined key.
Test: existing unit tests pass, and some future unit tests pass.
Bug: 72354901 Turn on generic crypto tests
Change-Id: I3c0b7e6306cafd3feabc8aac7e47983c89194a26
Merge from Widevine repo of http://go/wvgerrit/56522
This CL moves provisioning from core/test/cdm_engine_test.cpp to
test_base.cpp because other tests should also only be run when the
device has been provisioned.
It also adds a fake license server. The license holder helps a test
create a license request and then generates a bare-bones license,
without actually sending anything to a real license server.
Test: more unit tests pass than before.
Bug: 72354901 Fix Generic Crypto tests.
Change-Id: Iec067a6a1fb91fa8fd7b904fdf36e90981e293a3
Merge from Widevine repo of http://go/wvgerrit/56521
This CL adds a common main routine for integration tests. It sets a
default test configuration for the provisioning and license server
urls and certificates, and allows the user to set them on the command
line.
Test: current unit tests still pass.
Bug: 72354901 Fix Generic Crypto tests.
Change-Id: I604a3d9e15d50da5041794624c4571c0dcb091f5
Merge from Widevine repo of http://go/wvgerrit/56520
This CL adds a test base that installs a test keybox and catches nonce
flood errors for all CDM tests.
In order to do this, a new class is added called a
CryptoSessionFactory. The default factory just creates a new
CryptoSession. All places in the code that create a new CryptoSession
now call the static method MakeCryptoSession, which uses the current
factory to create a CryptoSession. If MakeCryptoSession is called and
there is no current factory, a default factory is created.
The CryptoSession constructor is now private, so that we do not
accidentally try to create one without using the factory.
For the new test base, we first create a special test
CryptoSessionFactory that creates a TestCryptoSession. The test
factory catches the first call to MakeCryptoSession and injects an
installation of the test keybox after OEMCrypto_Initialize is called.
The TestCryptoSession injects a sleep statement and a retry whenever
it detects a nonce flood.
Test: current unit tests still pass.
bug: 72354901 Fix Generic Crypto tests.
bug: 111361440 Remove #ifdef from unit tests
Change-Id: I248e7f3c53721c04d2af412ef835e19bb4d15d9a
Merge from Widevine repo of http://go/wvgerrit/55620
There were two places that explicitly referenced BoringSSL instead of
OpenSSL. (Not counting, of course, all the BoringSSL functions and
headers that still have "OpenSSL" in their names.) This change fixes one
to mention either library and the other to specifically mention
BoringSSL.
Bug: 70636815
Test: CE CDM Unit Tests
Change-Id: I8703e1c427c66953fcc565a4f8f85093c7180f46
Merge from Widevine repo of http://go/wvgerrit/56760
This CL backs out one restriction added in http://go/wvgerrit/42941.
In that CL, a sample would not be processed if the policy engine says
the key cannot be used for a given security level. The change relaxes
the check and does not run the verification if the sample is clear.
Bug: 112113797
Bug: 115758660
Test: GTS tests. Unit tests. Verified Play movies and Netflix.
Test: version number unit tests fail as expected.
Change-Id: I5238745c3d3d7f0eb7fae203f4579e8df4d0681b
Merge from Widevine repo of http://go/wvgerrit/56540
The pssh in request_license_test had the wrong size field.
Test: tested as part of http://go/ag/4674759
Change-Id: I6fed0fc8d11aec0a360d300e500a4ef62b658dad
This CL cleans up some bad merges of client ID code, entitlement keys,
and concurrent session access. After this CL, core cdm code on
android should match that on widevine at the commit 2f916720 on branch
master.
CLs merged here are based on:
http://go/wvgerrit/50483 Protect sessions from concurrent access
http://go/wvgerrit/48860 Remove duplicate information from client identification
http://go/wvgerrit/49040 Revert revertion of Client ID Expansion
http://go/wvgerrit/46448 Test Entitlement Licenses
Test: tested as part of http://go/ag/4674759
Change-Id: I45854d6b034c247b16073a96d6ff3ea953ded3ae
There were some mistakes in previous merges from pi-dev to master in
whitespace and copyright notices. This fixes them.
Test: tested as part of http://go/ag/4674759
Change-Id: Iae46c121de59233b62925a4d8c97f2b370e3e7f1
Some of http://go/wvgerrit/46251 from Widevine repo.
The rest was merged in the oemcrypto refactor.
When we standardized on BoringSSL, these conditional compilations that
had been added as a stopgap for OpenSSL became unneeded. However, they
were not noticed and removed at the time.
Bug: 72459799
Test: CE CDM Unit Tests
Test: tested as part of http://go/ag/4674759
Change-Id: I693f691ffcb255e03660edaa6743cd0fb9ef12c6
Merge from Widevine repo of http://go/wvgerrit/45940
Since the Level 3 OEMCrypto is being updated to Provisioning 3.0, its
SPOID would be derived from its OEM Certificate, breaking backwards
compatibility. This CL changes how we determine what unique id to use
for SPOIDs by checking to see if OEMCrypto_GetDeviceID is implemented,
and if so, using the id returned from that call. If not and the root
of trust is an OEM Cert, we continue to use that OEM Cert.
This allows Level 3 devices to keep the same SPOID when they undergo a
field update to Provisioning 3.0.
Also, the Level 3 OEMCrypto will share a single OEM certificate across
all devices with the same architecture. Since the OEM Cert is not
unique, it cannot be used to derive a unique id. By using the unique
id returned by OEMCrypto_GetDeviceID, we can generate a unique SPOID.
The id from OEMCrypto_GetDeviceID has always been required to be
unique for devices with keyboxes. The functionality and use of this
function for Provisioning 3.0 devices was introduced in OEMCrypto API
version 14.1.
Test: tested as part of http://go/ag/4674759
Change-Id: I65af8246c9312c75c570a2d518caa3de633007c4
Merge from Widevine repo of http://go/wvgerrit/48841
This test is not providing value to the CDM, as it seems to exist
primarily to validate server behavior. However, it is not doing what
it says it is (the request is rejected because it is using unparseable
garbage data, not because its key ID is unknown) and according to
tinskip@, the behavior it claims to be testing is not valid. (The
licensing service will not fail just because the key ID is unknown.
Indeed, if the test data is fixed to use a valid payload with an
unknown key ID, the test fails because the server does not.)
Bug: 78640287
Test: CE CDM Unit Tests
Test: Android Unit Tests
Test: tested as part of http://go/ag/4674759
Change-Id: Idfcff15ab3d15fdfb6eb111b5dff68aa5a23fb37
Merge from Widevine repo of http://go/wvgerrit/50560
There were some compiler warnings about converting true and false to
integers in EXPECT_EQ which were solved by using EXPECT_TRUE and
EXPECT_FALSE.
Test: tested as part of http://go/ag/4674759
Change-Id: Ie55b53ce48301af64ee2dff04642cbda02c1c41e
Merge from Widevine repo of http://go/wvgerrit/43202
Sync the definition of WidevinePssh data with the latest in support of
entitlement keys.
bug: 73297961 Fix or remove sublicense support.
Test: tested as part of http://go/ag/4674759
Change-Id: Ia9faf82732854a705b4b14430169ce4c8ecbcfcd
Merge from Widevine repo of http://go/wvgerrit/53883
Note: this CL does not modify license_key_status.cpp because the
previous CL already included those changes.
OEMCrypto v14 only supports one entitled key per entitlement key at a
time. Unfortunately, some partners have use cases that require using
old entitlement keys after the new keys have been loaded. Most
notably, when a key rotation occurs, the new PSSH will often be loaded
before the playback position catches up to the PSSH in the stream,
meaning that decryption will need to continue using the old keys for a
bit.
To fix this, EntitlementKeySession now caches the entitled keys when
they are loaded and only loads them under their matching entitlement
key when SelectKey() is called. This ensures that the right entitled
key is loaded for a given entitlement key before decryption.
The entitlement key integration tests have been updated to verify that
the old entitled keys still work even after loading new entitled keys.
Also, several places in the code that assumed loading new entitled
keys would wipe out the old keys have had to be modified.
Bug: 78652567
Test: CE CDM Unit Tests
Test: tested as part of http://go/ag/4674759
Change-Id: I6fac9dfe2b170ad68fb7cdb5bc8d6a2f35a20c2c
Merge from Widevine repo of http://go/wvgerrit/49003
CopyOldUsageEntry currently needs the old usage table to be loaded via
CreateOldUsageEntry. The CDM uses a workaround by creating a dummy old
entry, but the OEMCrypto code should be responsible for this. However,
since there have been several versions released with the current
OEMCrypto spec, the CDM code would have to still exist to support
implementations of that spec. Therefore, in order to avoid having to
support both a CDM with this workaround removed (as well as updating
the spec) and a CDM with it still in place, this workaround should be
canonicalized.
b/65730828
Test: tested as part of http://go/ag/4674759
Change-Id: I4619c551b79a53746683519d284663bf513ec38d
Merge from Widevine repo of http://go/wvgerrit/53465
It may not be clear that Properties::Init is called multiple
times. This CL adds an explanation in the header file. The function
itself is platform specific.
Test: tested as part of http://go/ag/4674759
Change-Id: I68010c594ec146e36161ae0f4f44d53caefa1896
Merge from Widevine repo of http://go/wvgerrit/53640
While HttpSocket supports both secure and insecure requests, the
error-handling code in HttpSocket::Read() was written assuming that
the insecure code path was previously taken. This resulted in spurious
and misleading error messages being printed when an SSL error
occurred, and it also meant that retryable SSL responses were not
being retried. Also, the code for detecting a closed connection was
technically incorrect, although a quirk of BoringSSL meant that it
happened to work well enough to go unnoticed.
This patch adds separate SSL error handling from the non-secure error
handling. It correctly checks for a closed connection. It will retry
retryable errors after a delay. And it prints the correct BoringSSL
error when an unrecoverable error occurs. There should be no change in
behavior for insecure connections.
Bug: 77338045
Test: CE CDM Unit Tests
Test: tested as part of http://go/ag/4674759
Change-Id: I8c45ca5771f22c11716d2e3649de91ab1acc1954
Merge from Widevine repo of http://go/wvgerrit/50481
Original CL http://go/wvgerrit/47520
The original CL was not completely merged to master on Android, so
this CL only reverts the left-over bits.
The original fix was not sufficient to address all race conditions. A
subsequent CL will address them.
Bug: 73781703
Bug: 79158083
Bug: 79262108
Test: tested as part of http://go/ag/4674759
Change-Id: Ib6c55ab5434e08fe61e0f65623ac8c7b2dc5aaa1
Merge from Widevine repo of http://go/wvgerrit/53625
Passing the third parameter to std::string::insert() as an integer
technically makes for an ambiguous method call, as there are two
overloads that could accept these arguments. While baseline GCC and
Clang discern our intent here correctly, seawardt@ discovered that
XCode is more pedantic and requires that we pass the third parameter
as a char to disambiguate.
Test: WvCdmEnginePreProvTestUat.ProvisioningServiceCertificateInvalidTest
Test: tested as part of http://go/ag/4674759
Change-Id: I65a2506209215cd081c685faac26e08bae486d5e
Merge from Widevine repo of http://go/wvgerrit/53202
and
Merge from Widevine repo of http://go/wvgerrit/53624
This change contains a variety of small tweaks to the
ContentKeySession and EntitlementKeySession classes that were
discovered while fixing b/78652567. There should be no change in
behavior from this patch. The fixes are:
1) Added missing headers and removed unnecessary headers.
2) Removed the unused keys_ member from EntitlementKeySession.
3) Renamed ContentKeySession's protected member function so that it is
not an overload of the public LoadKeys() function. This makes it
clearer what EntitlementKeySession::LoadKeys() is doing.
4) Added missing "virtual" and "OVERRIDE" keywords.
5) Added missing copyright headers.
6) Ran clang-format with Google style.
7) Correct missing OVERRIDE keywords.
Test: tested as part of http://go/ag/4674759
Change-Id: Icb0af886d7d3eb097b5dffbb716be6ac28f0916d
Merge from Widevine repo of http://go/wvgerrit/48842
In order to work around a limitation of some versions of OEMCrypto,
the packager is going to start generating files with multiple Widevine
PSSH boxes. For backwards-compatibility, the first PSSH will be a
SINGLE-type PSSH while the ENTITLED_KEYS-type PSSH (if any) will come
later. In order to use entitlement licenses, then, the CDM needs to
change how it selects PSSHs from the init data blob.
Previously, the CDM always took the first Widevine PSSH it found. Now,
it must find all the Widevine PSSHs and select the appropriate PSSH
for the OEMCrypto implementation. ENTITLTED_KEYS will be used on OEC
v14 and later, if available, while SINGLE will be preferred on earlier
OEMCrypto versions.
As a side-effect of this, the CDM is now stricter about what PSSH
payloads it will accept. Previously, it would blindly accept the
payload of any PSSH where the wrapper was not malformed. Now, it
sometimes has to actually parse the payload, and therefore PSSHs that
have corrupted payloads will be rejected. This affected a few unit
tests which used PSSHs that were malformed. These tests have been
updated to use PSSHs that do not fail to parse.
Bug: 78142219
Test: CE CDM Unit Tests
Test: Android Unit Tests
Test: Android Google Play & Netflix
Test: tested as part of http://go/ag/4674759
Change-Id: Ia70d627a914299bfbae84b4cb46f100dc5c7a501
Merge from Widevine repo of http://go/wvgerrit/52480
Partners have asked for a way to release offline licenses without
using a release message. This is typically used by cable partners who
are caching licenses ahead of time and do not care about usage
statistics.
As part of implementing this request, CdmSession::DeleteLicense() was
renamed to reflect that it only deletes the *files* associated with a
license, and a new CdmSession::DeleteLicense() has been written that
also cleans up other related data.
Bug: 77955334
Test: CE CDM Unit Tests
Test: tested as part of http://go/ag/4674759
Change-Id: I00d6e20935c5fecb3ac9be6757c0f191d85c6bd6
Merge from Widevine repo of http://go/wvgerrit/49820
Devices with baked-in DRM certs cannot be reprovisioned. As such, we
must protect them against being unprovisioned. Currently, our unit
tests break such devices by attempting to unprovision them. This patch
adds code to block the Unprovision() call on these devices.
Bug: 69264798
Test: CE CDM Unit Tests
Test: tested as part of http://go/ag/4674759
Change-Id: I49322dcb2d3d5c7953e870eb91a9e0b978d4dabe
This CL just updates some comments from the http://go/wvgerrit/51680. Changes
in that CL made to oemcrypto are in the refactor CL.
Test: tested as part of http://go/ag/4674759
Change-Id: Ia619089e146ea635c5a73a53bc81973bb42b42f7
Merge from widevine of http://go/wvgerrit/48885
iOS prohibits using clock_settime. In order to make the test consistent,
we set time using settimeofday instead.
Test: tested as part of http://go/ag/4674759
Change-Id: I8812b9b099fa8160591fafece070c34afeed82fa
Merge from Widevine repo of http://go/wvgerrit/46204
Refactor utility code - split the mock, step 1
Merge from Widevine repo of http://go/wvgerrit/46205
Move some OEMCrypto types to common header - split the mock, step 2
Merge from Widevine repo of http://go/wvgerrit/46206
Split mock into two -- step 3
Merge from Widevine repo of http://go/wvgerrit/47460
Split the mock into two -- step 3.5
The CL moves several files used by oemcrypto and cdm into a common
subdirectory, so that it may more easily be shared with partners.
The CORE_DISALLOW_COPY_AND_ASSIGN macro was moved to its own header in
the util/include directory.
This CL removes some references to the mock from other code, and puts
some constants and types, such as the definition of the keybox, into a
header in oemcrypto.
Test: tested as part of http://go/ag/4674759
bug: 76393338
Change-Id: I75b4bde7062ed8ee572c97ebc2f4da018f4be0c9
[ Merge of http://go/wvgerrit/58460 ]
If OEMCrypto runs out of space in the usage table header+entries adding
a new license or loading/using an existing one might fail. This CL makes
two modifications to handle this scenario.
* OEMCrypto_ERROR_INSUFFICIENT_RESOURCES will be returned from
OEMCrypto_CreateNewUsageEntry or OEMCrypto_LoadUsageEntry. An attempt
will be made to release a LRU entry from the usage table and retry
the operation. This may be retried 3 times unless success
occurs earlier.
* On initialization, the usage table header is loaded. If there are more than
the minimum number of usage entries (200), an attempt is made to
add a usage entry. If this fails, we are likely in an unrecoverable
state. We then delete all offline licenses, usage information and
recreate the usage table header. This will allow future playback
attempts to succeed and offline licenses to be able to be downloaded
but will lose all current offline licenses and secure stops.
Bug: 112486006
Test: WV unit/integration tests, GtsMediaDrmTest
Playback tests using Netflix and Play movies.
Change-Id: I41a18d69a329f8a96c7b607d299ce73af3d56177
Merge from Widevine repo of http://go/wvgerrit/58440
This CL modifies the oemcrypto test TwoHundredEntries so that it
attempts to create more than 200 entries. A device is allowed to fail
when such an attempt is made, but it must return an insufficient
resources error.
The test then verifies that each of the entries that were succesfully
created can be used to reload its license and the keys can be used for
decryption.
It then shrinks the usage table header, and verifies that the
remaining licenses can still be used for decryption.
bug: 112486006
test: unit tests (test code only)
Change-Id: I6e6edfb00f0553724e0f99fb4e5ea5c817450937
To be compatible with latest googletest.
Test: compile
Change-Id: I15d857ce7b9b28ba5f75c84c61f1c6a970012ca7
Merged-In: I15d857ce7b9b28ba5f75c84c61f1c6a970012ca7
(This is a merge of http://go/wvgerrit/55265)
Compiling with GCC 7 revealed that a function call in this test was
missing an argument. It meant to be passing the output protection level
to the function, but because of optional arguments, it was instead
passing it as the fourth argument.
Fixing this revealed that the test cases for the test were incorrect in
one case, which has been fixed to expect the correct results.
Thankfully, this part of the code does not appear to have been broken
while the tests had this hole.
Bug: 111648438
Test: build_and_run_all_unit_tests.sh
Change-Id: I6c13d5fecdccc4185ca5e8698fc845929ff16cb1
Merge from Widevine repo of http://go/wvgerrit/53980
The provisioning doc changed names, and I accidentally added the new one
without deleting the old one.
I also added a watermark to the newer one.
Change-Id: Ib6e553aa5222c0c59dc03a897229645d37e4189e
