HALs need to getCallingSid to verify clients.
[ Merge of http://go/wvgerrit/89123 ]
Bug: 134787536
Test: log calling sid
Change-Id: I9cfbddfc274457a6802d9c8f37470d656771acc6
Cherry pick of http://go/ag/9326830
This is a merge of the full decrypt path testing CLs from the Widevine
repo: http://go/wvgerrit/q/topic:FDPT-subsamples
This is the Full Decrypt Path Testing application that can be used by
device makers to verify that OEMCrypto is correctly decrypting content
to secure buffers.
Testing: Ran App.
Bug: 113594822
Change-Id: Icbb1e2f2e762bac3cc1b7b20749922c14ea24449
Cuttlefish includes GMS core, Widevine is required.
Add Widevine security level 3 drm service to cuttlefish.
Since we do not want to include vendor Widevine as open code
in cuttlefish's manifest, we will use LOGCAL_VINTF_FRAGMENTS
to refer to Widevine hal in Android.mk here.
Test: tests from gts WidevineDashPolicyTests classs
ANDROID_BUILD_TOP= ./android-gts/tools/gts-tradefed run gts-dev \
-m GtsMediaTestCases \
--test com.google.android.media.gts.WidevineDashPolicyTests \
#testL3LongLicenseShortPlayback
bug: 141621537
Change-Id: Ibaf5b77ba337c778a45560b20ca752a19724cc9d
[ Merge of http://go/wvgerrit/87283 ]
SPOIDs (Stable Per-Origin IDentifiers) were not correctly being
set during CdmEngine construction. This resulted in SPOID values not
being sent in provisioning requests. This caused the serial number in
the drm certificate to not be stable after a reprovision.
This behaviour appears to be true going back to O.
CdmEngine no longer takes a SPOID in the constructor since not all
callers use SPOIDs. A setter has been added in its place. Previously
spoid had a default argument to the constructor.
Bug: 142368328
Test: android unit/integration tests
Change-Id: I711346df609636ecf1475dc37873454a7ef000c0
[ Merge of http://go/wvgerrit/88006 ]
Certain test files have yet to be formatted since we introduced
clang-formatting.
Test: android unit/integration tests
Bug: 134365840
Change-Id: I2d30ad367d76a9dfbf389614e1b31ed39fa17c72
[ Merge of http://go/wvgerrit/87964 ]
A preliminary test has been added, more to follow.
Bug: 142747616
Test: android unit tests
Change-Id: Ida8eb853c14f73f60f7bc354f14a02224c2ce66c
[ Merge of http://go/wvgerrit/87905 ]
Protobuf parsing of the provisioning message has been centralized in
certificate_provisioning.cpp since it will be invoked from
multiple locations. This will also ease maintainability of the code.
Bug: 142731300
Test: android unit/integration tests
Change-Id: Idebf6b0145b317698559cac1cf18a3a0b98315ad
[ Merge of http://go/wvgerrit/87143 ]
Certain android files have yet to be formated since we introduced
clang-formatting.
Test: Android unit tests
Bug: 134365840
Change-Id: I0e58fb7e5b5525f1e2885ce89b222561a971ab27
Since these were combined into libhidlbase.
Bug: 135686713
Test: build only (libhwbinder/libhidltransport are empty)
Change-Id: Ie7052b17c1d468f63250755f3ffa5099760c9602
[ Merge of http://go/wvgerrit/87123 ]
Certain android files have yet to be formated since we introduced
clang-formatting.
Test: built for android
Bug: 134365840
Change-Id: Ia316b039e7469f7cf803464ee95a919fe7966450
[ Merge of http://go/wvgerrit/86243 ]
Sorted the case-return blocks in the error map function. Used two iterations
of a bucket sort algorithm. First by the case label, then a binary sort on
whether the return value is in the `android` namespace or not. There are some
exception (such as the first and last block).
The majority of the sorting was done using a script:
https://paste.googleplex.com/6390453727395840
Bug: 34648626
Test: Linux unit tests and compiled on Android
Change-Id: I524e0d0d93df8b0a3dc1155980eec22cf43156b6
[ Merge of http://go/wvgerrit/86444 ]
When the CDM engine attemped to remove all usage information across
both L1 and L3, a failure in L1 was being ignored if L3 removal
succeeded.
For this fix, L1 failure codes are prioritized over L3 failure codes
(should both L1 and L3 fail).
Bug: 141272019
Test: Linux unit test and Android unit tests
Change-Id: I2df6d47a2a57c373c6c76903ab33ebbf649005b3
(This is a merge of http://go/wvgerrit/86383)
When Key Sessions were added to CryptoSession, the initialization of the
initial Key Session was placed at the end of the initialization of the
owning CryptoSession. That's all well and good except the block right
before that assumed that it was safe to abort initialization early in
order to swallow errors when setting up usage tables. As a result, if
anything caused usage table initialization to fail, it would leave the
CryptoSession without a Key Session, resulting in an inevitable segfault
further down the line.
There's no reason the Key Session can't be initialized first. This
change moves initialziation order around to avoid the bug.
Bug: 141021960
Test: CE CDM Unit Tests
Test: Android Unit Tests
Change-Id: Ic78005c831d2a24d7d6de22df54462b2bd7085f0
am: f07529cbc4 -s ours
am skip reason: change_id I16a7de4dab69bf3b4b550bb2ee202f4600682837 with SHA1 0c7dfda7e1 is in history
Change-Id: I89a2ca3aeba455dc45b63fc9d8313d8dc3018032
Switch Widevine service to link dynamic libcrypto.so.
Merge from http://go/wvgerrit/86323
Test: Play Movies & TV, Netflix, ExoPlayer, GTS
bug: 141082724
Change-Id: I16a7de4dab69bf3b4b550bb2ee202f4600682837
Merged-In: I16a7de4dab69bf3b4b550bb2ee202f4600682837
(cherry picked from commit 0c7dfda7e1)
The use of static libcrypto.so breaks FIPS cert.
Switch to use dynamic libcrypto.so.
Also merge in http://go/ag/9416801 changes. Static
libcrypto can be used for modules that do not affect
FIPS cert.
Merged from http://go/wvgerrit/86345
Test: Widevine unit tests, Play Movies & TV, Netflix
Test: quick GTS playback tests
ANDROID_BUILD_TOP= ./android-gts/tools/gts-tradefed run gts -m GtsMediaTestCases --test com.google.android.media.gts.MediaDrmTest#testWidevineApi29
ANDROID_BUILD_TOP= ./android-gts/tools/gts-tradefed run gts -m GtsExoPlayerTestCases --test com.google.android.exoplayer.gts.DashTest#testWidevine23FpsH264Fixed
bug: 141150503
Change-Id: I6427c5a86e52e9cfb800d35ac0a3a67011039d10
[ Merge of http://go/wvgerrit/85743 ]
There were a few methods that did not check that the output parameter was not
set to null befor assigning to. The new checks follow a similar pattern that
is used for DeviceFiles.
Bug: 135207278
Test: Linux unittest and Android tests
Change-Id: Idff25a71dd7a6db99f7f9c2dcf4949ac683208cc
[ Merge of http://go/wvgerrit/85804 ]
This moves file_utils_unittest.cpp, file_store_unittest.cpp and
base64_test.cpp from core/test to utils/test.
Bug: 140639279
Test: Android unit/integration
Change-Id: I1c31e5a716a925478fc1efe9fe68b93b1514e89c
Replace libcrypto with libcrypto_static, which can be protected through
visibility to ensure only modules that don't affect FIPS certification
can use it.
Bug: 141248879
Test: m checkbuild
Change-Id: I53757b813fe2984261a3bde963cac1886523dfdf
[ Merge of http://go/wvgerrit/85153 ]
Issues addressed in this CL:
1) Linkage warnings in g++
2) Inconsistent `override` with clang++
3) Test variable names
Some of our tests use types defined in test-local anonymous namespace. For
our tests setup, this does not cause any linkage issues; however, g++ produces
warnings about it.
The options were to suppress it with `-Wno-subobject-linkage`, or to change
the tests to avoid even the potential of a linkage error.
There were additional warnings showing up about the use of `override` on
derived mock classes. The solution was simply to remove the `override`
qualifier on `MockFile`'s destructor.
Some of the test data variables were using snake_case, here I switched it to
kConstantCamelCase.
Bug: 139808919
Test: Compiling with gcc, Linux unittests and Android unittests
Change-Id: Ic3f82a6db7fad990ffe49186914084b039ec8a14
Switch Widevine service to link dynamic libcrypto.so.
Merge from http://go/wvgerrit/86323
Test: Play Movies & TV, Netflix, ExoPlayer, GTS
bug: 141082724
Change-Id: I16a7de4dab69bf3b4b550bb2ee202f4600682837
This change renames the IMemory raw pointer accessors to
unsecure*() to make it apparent to coders and code reviewers
that the returned buffer may potentially be shared with
untrusted processes, who may, after the fact, attempt to
read and/or modify the contents. This may lead to hard to
find security bugs and hopefully the rename makes it harder
to forget.
The change also attempts to fix all the callsites to make
everything build correctly, but in the processes, wherever the
callsite code was not obviously secure, I added a TODO requesting
the owners to either document why it's secure or to change the
code. Apologies in advance to the owners if there are some false
positives here - I don't have enough context to reason about all
the different callsites.
Test: Completely syntactic change. Made sure code still builds.
Change-Id: I13466e045f587e612ad80e518fee27f4da0bde5e
Bug: 138709931
Test: 1) Keep the widevine splitbins ONLY at /vendor/firmware_mnt/image
2) L1 secure video playback
Change-Id: Icbb749a0ac379015ed48c4bf32f7647d7fbe5b96
[ Merge of http://go/wvgerrit/84490 ]
The unit tests will now make at most 10 attempts to provision
themselves before declaring failure.
This change is made to help with flaky provisioning requests that
have been experienced on the Jenkins build server.
Bug: 139298083
Test: Linux unit test, Jenkins build and Android unit tests
Change-Id: I6415a5ef9fdf10ceb893867d5fc73131338e9f76
(This is a merge of http://go/wvgerrit/84510)
When the CE CDM 3.5 behavior around service certificates was originally
implemented, it allowed sessions to be created if a service certificate
had not yet been installed, in keeping with the EME spec. However, the
service certificate in use at session creation time was cached, and so
there was a bug where any sessions open before a service certificate was
installed would never be updated with any future service certificates.
The code also caused problems for Android. When it was merged to master,
it was fixed to simply not allow session creation on CE CDM without a
service certificate. However, this created an impedance mismatch between
the CE CDM and EME that has caused pain for Shaka Player Embedded,
Chrome, Chromecast, Fuchsia, and likely every partner that is trying to
implement a fully-compliant EME stack on top of CE CDM.
Removing the code that blocks session creation without a service
certificate is easy. Fixing the bug that motivated it is not. Removing
the caching is not possible because Android needs it for certain
behavior on its end. So instead, the CE CDM will have to iterate over
all open sessions and update their service certificates if the installed
service certificate changes.
Test: CE CDM Unit Tests
Test: Android Unit Tests
Bug: 111766009
Change-Id: I1bd70553e2209b823a6acdc221c0497a5f3181b2
[ Merge of http://go/wvgerrit/84989 ]
FileUtils::Remove() when used with wildcards would ignore a prefix specified
before the asterisk and delete all files with the same extension.
Fix proposed by broadcom.
Bug: 120039689
Test: WV unit/integration tests
Change-Id: Iddc6c6b1983c41b501b21f34626f56c0b74af6c8
[ Merge of http://go/wvgerrit/85503 ]
Replacing a few instances of C's NULL with C++'s nullptr in some of the
smaller sub-directories in the CDM.
Note that clang-format has performed additional changes to some of the
test files that have not yet been formatted.
Bug: 120602075
Test: Android unittest
Change-Id: I926135ed4b85e9d2d58a014b4a62098b0cb7a373
[ Merge of http://go/wvgerrit/84990 ]
Storing and retrieving licenses from device files had required 15
parameters to the DeviceFiles methods. Now, licenses information is
bundled together in a single struct `CdmLicenseData`, similar to
`CdmUsageData`.
Bug: 137882164
Test: Linux and Android unittest
Change-Id: I149b39573800e7c66681343b252b41341a8902f7
[ Merge of http://go/wvgerrit/85408 ]
Replacing a few instances of C's NULL with C++'s nullptr in some of the
smaller sub-directories in the CDM.
Bug: 120602075
Test: Linux and Android unittests
Change-Id: I62bb548051434b4b974d89a6d57a9a17a0d66bd2
[ Merge of http://go/wvgerrit/84607 ]
[ Merge of http://go/wvgerrit/84608 ]
The primary goal is to replace the use of `rand()` with the random
number generators provided with the C++11 standard.
This simplified generator wraps some of the technical aspects of the
<random> library and provides an interface for uniformly distributed
integers.
As part of the `rand()` purge in the CDM, all uses of the C random int
function in `core()` have been removed. Places that previously used
`rand()` now use `CdmRandom` facilities.
Test: Linux unittest and Android unittest
Bug: 130680365
Change-Id: Ica383870536ed462dbb80e630c2d66845e38b937
[ Merge of http://go/wvgerrit/84647 ]
[ Merge of http://go/wvgerrit/84648 ]
Replacing most instances of C's NULL with C++'s nullptr. Also changed
how a NULL check is performed on smart pointers. They provided an
implicit boolean operator for null checks, meaning the underlying
pointer does not need to be compared directly (as it was in some places
before).
Note that clang-format has performed additional changes to some of the
test files that have not yet been formatted.
Bug: 120602075
Test: Linux and Android unittests
Change-Id: I06ddebe34b0ea6dfecedb5527e7e808e32f5269a
[ Merge of http://go/wvgerrit/83423 ]
[ Merge of http://go/wvgerrit/83424 ]
[ Merge of http://go/wvgerrit/83425 ]
[ Merge of http://go/wvgerrit/83426 ]
[ Merge of http://go/wvgerrit/83427 ]
Types of cleanup:
- Removed function / class prefixes from the logs.
- Fixed log string format options to match the types passed
- Corrected small spelling mistakes / typos
- _Tried_ to make the log format more consistent
- Added static_cast<int> conversion on enumerations when logged
- Changed several LOGE to LOGW and vice versa
- Used LOGE if the triggering condition stops the method/function
from completing its task
- Used LOGW if the triggering condition changes the expected
outcome but does not stop the rest of the method/function's
task
- Changed several instances of `NULL` to `nullptr`
- Ran clang-format on files after cleanup
This is part of a larger code quality effort in Widevine DRM.
Test: WV linux unittests and WV Android unit tests
Bug: 134460638
Bug: 134365840
Bug: 136123217
Change-Id: I958ec70ef99eef95c38dbebd7a1acd62ef304145
[ Merge of http://go/wvgerrit/83804 ]
There is a private helper method in `UsageTableHeader` which is used by
other methods to shrink the table by removing a specified number of
entries.
Prior to this change, if `Shrink` was called to remove more entries
than there are, it would: 1) do nothing and 2) return `NO_ERROR`.
Obviously, at least one of those action should change.
Instead of doing nothing, it will simply remove all the entries from
the table and return `NO_ERROR`. A warning will be logged that it was
requested to shrink by more entries than there are.
Four (4) new tests have been created to ensure that `Shrink()` works as
expected.
Test: Linux unit tests
Bug: 138242127
Change-Id: Idedd922bd883d7ae1b84ce8ec1255fdce00c0948
