OPK v17.3

CHANGELOG.md

@@ -2,6 +2,34 @@
 
 [TOC]
 
+## [Version 17.3][v17.3]
+
+This is a minor release that includes a few security fixes.
+
+General
+
+- Change OEMCrypto_FreeSecureBuffer() |output_descriptor| parameter to be
+[in,out] type.
+- Use strlen() instead of sizeof() to get the length of BUILD_INFO
+
+OPK serialization layer
+
+- Avoid writing any value to output parameters if the OEMCryptoResult is not
+OEMCrypto_SUCCESS. (Applies to [out] type only. Not [in] or [in,out]). This
+avoids subtle bugs where the serialization logic may unexpectedly modify (eg
+set to 0) an output parameter on failure.
+
+Tests
+
+- Fix default cipher mode for CAS unit test.
+- Skip entitlement session tests that are only supported on CAS devices.
+
+OP-TEE port changes
+
+- Fix memory leaks on failure cases in AES decrypt, RSA key creation, and ECC
+key creation.
+- Check incoming message size from REE to avoid OOB.
+
 ## [Version 17.2.1][v17.2.1]
 
 Patch release which includes a fix for a bug in the OPK session state machine
@@ -17,6 +45,11 @@ room for new licenses. Similarly, if the usage table has gaps where previous
 entries were deleted, then this bug may occur when the CDM tries to defragment
 the usage table by moving newer usage entries into those gaps.
 
+Other changes
+
+- In oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_clock_and_gn_layer1.c,
+specifically handle WTPI_LoadPersistentData() failure on initialization.
+
 ## [Version 17.2][v17.2]
 
 This release contains the first version of OPK to support MediaCAS, an
@@ -236,3 +269,4 @@ Public release for OEMCrypto API and ODK library version 16.4.
 [v17.1+opk-v17.1.1]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.1+opk-v17.1.1
 [v17.2]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.2
 [v17.2.1]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.2.1
+[v17.3]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.3