[ Merge of http://go/wvgerrit/207456 ]
When parsing Widevine's HLS key data, the key details are contained
in a data URI in the HLS X-KEY URI field. The data of the URI is a
base64 encoded JSON object, containing the information required to
generate the license request. The "content_id" field of the JSON
object is expected to be a base64 encoded; however, the HLS parser
did not verify that the decoding was successful. In the event that
was not successful, the decoder would return an empty string, which
the parser would attempt to access the first element by reference
which may be a null reference.
In C++, creating a reference from a null point (without actually
accessing the value) is undefined; however most C++ implemenations
will not cause a segment fault; but it is not guarenteed by the
standard.
This change checks if the decoding was successful before attempting
to store the decoded "content_id" value.
A unit test is added to ensure that a parser fails gracefully.
Bug: 356210640
Test: HlsParseTest.BadHlsData_InvalidContentId
Change-Id: Ie2ad42d69953258659178dd1464d830b2723c6c7
This is based on a patch submitted by Amlogic.
When we're doing decrypt fallback, either in the CDM or the OEMCrypto
tests, we sometimes fall back to a point where we're synthesizing new
samples and/or subsamples for the content being decrypted. When this
happens and the output buffer is clear, we should limit the size of the
output buffer to only the space needed to hold the output.
Previously, we've been passing the entire output buffer to every call.
This can create a problem if the reason for the fallback is a lack of
enough memory to communicate the buffers to the TA, since the output
buffer will remain the same size as the total output. Restricting the
buffer passed to each call to only the space needed by that call will
reduce the memory requirement.
Cherry-picked from http://go/wvgerrit/205311
Bug: 354834629
Test: x86-64
Merged from https://widevine-internal-review.googlesource.com/204810
Change-Id: I412f43d8f88c72072ef1dd5293436bdb58e500b3
[ Merge of http://go/wvgerrit/200415 ]
UDC specific: No DRM reprovisioning support
The SystemIdExtractor did not properly define behavior when working
with opened/closed CryptoSessions. Due to the CryptoSession's class
dual role of being both a session and a general handle into the
crypto engine, small bugs relying on undefined behavior which happened
to return expected output allowed tests to pass.
This CL makes the following changes:
1) Have SystemIdExtractor verify caller expectations when session is
open.
2) Improved SystemIdExtractor to operate when CryptoSession is opened
or closed.
3) Updates several SystemIdExtractorTest cases to better test defined
behavior without relying on undefined behavior.
4) Better code comments; hopefully some which will help prevent future
misuse of the internal APIs.
Test: system_id_extractor_unittest on Oriole
Test: WVTS on oriole
Bug: 329713288
Change-Id: I65518fe62f43e8060ea752852eb08a3d7132e2a0
[ Merge of http://go/wvgerrit/194930 ]
[ Cherry-pick of http://ag/26577931 ]
OEMCrypto v17 introduced higher granularity in the device's HDCP V1
levels. Previously, all HDCP v1.x were group together. The change
was aimed towards server policy enforcement, not device enforcement.
Core code was updated, and could then be reflected in license
requests; however, reporting the new v1.x subversions was never
exposed to the higher app layers.
It is likely that devices which attempted to use specific 1.x versions
encountered test failures (for both CE CDM and Android CDM) as neither
implementations could handle such versions when communicating with
the app.
This change updates both CE CDM and Android CDM:
1) The CE CDM now uses the same subversion version comparisons as
performed by the core code.
2) The Android CDM will now recognize new HDCP levels, and not return
unexpected values.
Bug: 329155501
Test: run_x86_64_tests
Test: request_license_test on Oriole
Change-Id: I61fc0f11808f594456bd00210fd9b2bb5ed16c0e
[ Merge of http://go/wvgerrit/189650 ]
The CDM session shares its CryptoSession instance with a few additional
member objects (CdmLicense and PolicyEngine). When the CDM session's
crypto session is reset, it must also reset the CdmLicense and
PolicyEngine otherwise, a potential stale pointer reference may occur.
Test: request_license_test on Oriole
Test: WVTS on Oriole
Bug: 311239278
Change-Id: Ie175513ae652dcd96e12e5e1def574a8a56d5863
ag/26105061 accidentally reverted some of these changes so I am pushing
up another patch to add them back in.
[ Merged of go/wvgerrit/186370 ]
CDM by default allows test keybox from device side.
Bug: 299987160
Bug: 301669353
Change-Id: I6acf93c78f76a13f2c4539aabfd0262670b54c48
[ Merge of TBD ]
The merge of oemcrypto-v18 cdm branch to udc-widevine-dev
caused a number of CDM/plugin fixes to be lost.
This undoes the non-oemcrypto changes in http://go/ag/26105061
Bug: 290252845
Test: WVTS, unittests on panther
Change-Id: I2bb99f423bda351eee30276cb0e26e3d9e27fa7d
[ Merge of http://go/wvgerrit/148949 ]
For ATSC licenses use ATSC certificates/private keys rather than
any cert/private key specified in the license.
Bug: 216420542
Test: WV unit/integration tests
Change-Id: I12541577e672c67cc4c6eb3365e48bf2034fd9a4
[ Merged of go/wvgerrit/186370 ]
CDM by default allows test keybox from device side.
Bug: 299987160
Bug: 301669353
Change-Id: I06f1936ccd068eb71364a5a8931970954233b686
[ Merge of http://go/wvgerrit/183472 ]
For provisioning 4.0 devices, the DRM certificate serial number
was changing on a reprovisioning attempt or factory reset. The
app parameters sent up in the client identification name-value
pair field were being filtered out in provisioning requests.
This has been corrected for provisioning 4.0 stage 2
(DRM certificate request). There is no need to include them for
stage 1 (OEM certificate request).
The test case WvCdmRequestLicenseTest.ProvisioningSpoidTest
was created earlier to ensure that SPOIDs and DRM certificates are
stable. Unfortunately due to another bug b/250099615, the RKP service
was holding a connection to the Widevine TA for provisioning 4.0
devices. When native tests ran as their own process, L1 would fail
to load due to a connection failure and the test would run as L3.
The tests passed for provisioning 4.0 devices Pixel 7 and 8 when
they should have failed. This gave us a false sense of confidence
that the SPOIDs were stable.
For now a workaround is to run a shell command to kill the widevine
TA before running native tests.
$ adb shell pkill -f -9 widevine
New tests have been introduced to provide integration coverage
WVPluginTest at the WV plugin level and CoreIntegrationTest
for core. GTS tests are also being written in b/295538002.
Bug: 294451432
Bug: 293950895
Test: WVPluginTest.ProvisioningStableSpoidTestL1, WVTS tests
Change-Id: Ib9ace4387866ea38bb1840feb69cea78d2d2c09c
[ Merge of http://go/wvgerrit/181151 ]
[ Cherry-pick of http://ag/24103737 ]
For devices with a large number of usage entries, when restoring the
usage table a capacity check is performed. This checks that a new
entry can be created. This test was originally added as some devices
might enter a "stuck" state the table cannot be initialized.
To perform this test, a temporary crypto session is created and an
entry is created for that session. After successfully creating that
entry, the entry is deleted. However, because the session was left
open, the entry could not be deleted.
This change closes the capacity-check-session before deleting the
entry, as well as includes additional logs for helping future debugs.
Bug: 286176947
Bug: 291351287
Test: usage_table_header_unittest
Test: Android GTS R11 on oriole
Change-Id: I6923de00175f70b2392bfe581ca5f9ae60c4af25
(cherry picked from commit 8b4bbeeb6f440c48a3250b961f7a7dab2472d7e9)
(cherry picked from commit bb925c46e5)
[ Merge of http://go/wvgerrit/181152 ]
[ Cherry-pick of http://ag/24137228 ]
Partners have requested that we log HDCP information during certain
operation:
1) Current and max HDCP capability when calls to decrypt or select
key failure due to insufficient or mixed HDCP levels.
2) Current, desired and default HDCP level when video contraints
are not met.
To avoid spamming the logs, decrypt failures are only logged on their
first occurrence, and unmet video constrains when one of the
requirements change.
Bug: 276686656
Bug: 292005982
Test: license_keys_unittest
Test: Android WVTS on oriole
Change-Id: I98b18e66d7ce1c474a018ae83af4f1c0b03308df
(cherry picked from commit c84b9afd38)
[ Merged from http://go/wvgerrit/179214 ]
Sony has identified a 5-year-old copy-and-paste error in
LicenseKeys::GetAllowedUsage(). For entitled keys, it was calling
CanDecryptContent() instead of GetAllowedUsage() on the entitlement key
session. This meant that for entitled keys, the allowed_usage parameter
was never updated and the return value of the function was indicating
something different than intended.
Bug: 280902715
Test: build_and_run_all_unit_tests
Test: wvts on panther
Change-Id: Ic1db01b6dce08d444572f53157ff08b337c48d31
[ Merge of https://widevine-internal-review.googlesource.com/c/cdm/+/178890/ ]
GetDeviceInformation() and GetDeviceSignedCsrPayload() are added to
cdm_engine and crypto_session, so that they can be queried by DRM
plugin. This is to allow the wv drm HAL to be able to extract BCC and
CSR payload to build CSR for prov 4 device registration, such that we
don't need a separate RKP HAL to do this job.
Changes to the DRM plugin to use the exposed methods will be in the
coming CL.
Bug: 286556950
Test: request_license_test
Change-Id: I5f7aed8b3471ea477b79d08b95e1d217dc39070b
[ Merge of http://go/wvgerrit/178872 ]
[ Cherry-pick of http://ag/24047535 ]
Partners have requested that we log HDCP information during certain
operation:
1) Current and max HDCP capability when calls to decrypt or select
key failure due to insufficient or mixed HDCP levels.
2) Current, desired and default HDCP level when video contraints
are not met.
To avoid spamming the logs, decrypt failures are only logged on their
first occurrence, and unmet video constrains when one of the
requirements change.
Bug: 276686656
Test: license_keys_unittest
Test: Android WVTS on oriole
Change-Id: I98b18e66d7ce1c474a018ae83af4f1c0b03308df
[ Merge of http://go/wvgerrit/178217 ]
[ Cherry-pick of http://ag/24029327 ]
For devices with a large number of usage entries, when restoring the
usage table a capacity check is performed. This checks that a new
entry can be created. This test was originally added as some devices
might enter a "stuck" state the table cannot be initialized.
To perform this test, a temporary crypto session is created and an
entry is created for that session. After successfully creating that
entry, the entry is deleted. However, because the session was left
open, the entry could not be deleted.
This change closes the capacity-check-session before deleting the
entry, as well as includes additional logs for helping future debugs.
Bug: 286176947
Test: usage_table_header_unittest
Test: Android GTS R11 on oriole
Change-Id: I6923de00175f70b2392bfe581ca5f9ae60c4af25
(cherry picked from commit 8b4bbeeb6f440c48a3250b961f7a7dab2472d7e9)
[ Merge of http://go/wvgerrit/175310 ]
Pass the real oemcrypto session id from `pair.session` instead of
`session` for LoadEntitledContentKeys, since `session` can be
changed when L1 and L3 are running in parallel and `session` in
that case may not be the correct oemcrypto session id any more.
Bug: 279967915, 282180589
Test: wvts
Change-Id: I127ff37abf8b618dfbcb623f59bc999e58e7a028
[ Merge of http://go/wvgerrit/174555 ]
This is only announced if OEMCrypto is v18+
Bug: 278751387
Test: Duration use case tests, wvts tests
Change-Id: I5cbfcc733ed2af2c940fde381b40a5be850e7e88
[ Merge of http://go/wvgerrit/173290 ]
* Renew timer offset from when license is loaded verifies that the
rental duration has not expired and begins decryption.
* Renew timer offset from first decrypt bugfix
* Feature is enabled based on oemcrypto v18 presence
* Renewal logic verifies that |can_renew| is enabled
* Unit tests were added to reflect use cases from duration
and renewal documentation
Bug: 278751387
Test: policy unittests, CdmUseCase tests, wvts tests
Change-Id: I3070b3f31b316e150c28ebe38d0440ab1eeb89b9
[ Merge of http://go/wvgerrit/175058 ]
Pass the real oemcrypto session id from `pair.session` instead of
`session` for LoadEntitledContentKeys, since `session` can be
changed when L1 and L3 are running in parallel and `session` in
that case may not be the correct oemcrypto session id any more.
Bug: 279967915, 282180589
Test: wvts
Change-Id: Iad0ac5e505d3b38d220f1484d4cf5f8bc3b5337f
[ Merge of http://go/wvgerrit/174572 ]
Pass the real oemcrypto session id from `pair.session` instead of
`session` for CopyBuffer, since `session` can be changed when L1
and L3 are running in parallel and `session` in that case may not
be the correct oemcrypto session id any more.
Bug: 279967915
Test: wvts
Change-Id: Ic5e21ccb227d4c4992ef500435fa3b68812c4d9b
[ Merge of http://go/wvgerrit/172010 ]
The CdmEngine provides an API for generic crypto operations that are
already used for the CE CDM. This API is being exposed in the Android
CDM. The parameter order of the Android CDM is modified to match the
existing generic crypto parameters used in the media DRM plugin.
Bug: 274984456
Bug: 29400687
Test: build x86-64 and Android
Change-Id: I3b286ebb011bd58754b7b8ea814ed46daf1f62f9
Merge of https://widevine-internal-review.googlesource.com/c/cdm/+/173330
Skipping files that are not in android from the CL above.
Original commit message:
Pass the real oemcrypto session id from `pair.session` instead of
`session`, since `session` can be changed when L1 and L3 are running in parallel and `session` in that case may not be the correct oemcrypto session id any more.
Also adding a few missing v18 L3 functions pointers to the dynamic
adapter.
Need to re-generate L3 since the L3 sources changed.
Test: L3 unit tests
Test: GTS dash policy tests and Dexter tests
Bug: 271290471
Bug: 279967915
Change-Id: Idc44d57ca38eb1de24c0038917800e37c25b9afc
[ Merge of http://go/wvgerrit/171310 ]
Offline license not found errors are identified by CdmResponseEnum
347 (KEYSET_ID_NOT_FOUND_4). No addition file system information
is shared.
Checks for file existance use the stat command. The stat call can
return error codes from errno.h when the command fails.
These are now converted into sub error codes and returned along with
the offline license file not found error.
This also includes a change to log stat errors other than
ENOENT (no such file or directory) as a warning rather than verbose.
Bug: 276225520
Test: file_store_unittest, file_utils_unittest, GtsMediaTestCases
Change-Id: Ic09d036549582cd65783b49fa96ffefc4bf562c7
The predicate version of wait_for() to avoid spurious wake up by
checking running_ status.
This is a fix to ag/21439870
Test: build widevine
Bug: 272424659
Bug: 271811708
Change-Id: I446fef8f4c8c58bcd47b885dba50643b3e5e1185
[ Merge of http://go/wvgerrit/170073 ]
Removed the file "error_string_util.cpp" and its header, moving the
OEMCryptoResult to string converter to "wv_cdm_types.cpp". This extra
file served little purpose, and created a dependency on the CDM utils
to the CDM itself.
This is part of the effort to fix the formatting of WV metrics; making
enum-to-string conversion uniform throughout the CDM.
Bug: 239462891
Test: adb shell dumpsys android.hardware.drm.IDrmFactory/widevine -m
Test: Manual testing with Google TV
Change-Id: I4bf95d26b623f5b8fa86bdb2578cbc4ee65125cb
[ Merge of http://go/wvgerrit/169374 ]
Device renewals used to require that OEMs remove provisioning
certificates as part of the OTA update process. Instead, a change
in system ID is relied upon to indicate a change in root of trust.
If a change in System ID is detected, reprovisioning will be forced.
This is not enabled for ATSC devices or L3 devices. For the latter a
change in system ID may occurs without a change in RoT.
Bug: 258361396
Test: GtsMediaTestCases
Change-Id: I6e8b0b2149fc2ed5362a32bb6e869826f5fa8ef7
