Update ODK to v17.1

oemcrypto/odk/include/OEMCryptoCENCCommon.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 /*********************************************************************
@@ -61,7 +61,7 @@ typedef enum OEMCryptoResult {
   OEMCrypto_ERROR_INVALID_NONCE                = 32,
   OEMCrypto_ERROR_TOO_MANY_KEYS                = 33,
   OEMCrypto_ERROR_DEVICE_NOT_RSA_PROVISIONED   = 34,
-  OEMCrypto_ERROR_INVALID_RSA_KEY              = 35,
+  OEMCrypto_ERROR_INVALID_RSA_KEY              = 35,  /* deprecated */
   OEMCrypto_ERROR_KEY_EXPIRED                  = 36,
   OEMCrypto_ERROR_INSUFFICIENT_RESOURCES       = 37,
   OEMCrypto_ERROR_INSUFFICIENT_HDCP            = 38,
@@ -88,6 +88,11 @@ typedef enum OEMCryptoResult {
   OEMCrypto_ERROR_MULTIPLE_USAGE_ENTRIES       = 58,
   OEMCrypto_WARNING_MIXED_OUTPUT_PROTECTION    = 59,
   OEMCrypto_ERROR_INVALID_ENTITLED_KEY_SESSION = 60,
+  OEMCrypto_ERROR_NEEDS_KEYBOX_PROVISIONING    = 61,
+  OEMCrypto_ERROR_UNSUPPORTED_CIPHER           = 62,
+  OEMCrypto_ERROR_DVR_FORBIDDEN                = 63,
+  OEMCrypto_ERROR_INSUFFICIENT_PRIVILEGE       = 64,
+  OEMCrypto_ERROR_INVALID_KEY                  = 65,
   /* ODK return values */
   ODK_ERROR_BASE                               = 1000,
   ODK_ERROR_CORE_MESSAGE                       = ODK_ERROR_BASE,
@@ -96,6 +101,11 @@ typedef enum OEMCryptoResult {
   ODK_TIMER_EXPIRED                            = ODK_ERROR_BASE + 3,
   ODK_UNSUPPORTED_API                          = ODK_ERROR_BASE + 4,
   ODK_STALE_RENEWAL                            = ODK_ERROR_BASE + 5,
+  /* OPK return values */
+  OPK_ERROR_BASE                               = 2000,
+  OPK_ERROR_REMOTE_CALL                        = OPK_ERROR_BASE,
+  OPK_ERROR_INCOMPATIBLE_VERSION               = OPK_ERROR_BASE + 1,
+  OPK_ERROR_NO_PERSISTENT_DATA                 = OPK_ERROR_BASE + 2,
 } OEMCryptoResult;
 /* clang-format on */
 
@@ -110,6 +120,11 @@ typedef enum OEMCrypto_Usage_Entry_Status {
   kInactiveUnused = 4,
 } OEMCrypto_Usage_Entry_Status;
 
+typedef enum OEMCrypto_ProvisioningRenewalType {
+  OEMCrypto_NoRenewal = 0,
+  OEMCrypto_RenewalACert = 1,
+} OEMCrypto_ProvisioningRenewalType;
+
 /**
  *  OEMCrypto_LicenseType is used in the license message to indicate if the key
  *  objects are for content keys, or for entitlement keys.
@@ -117,7 +132,7 @@ typedef enum OEMCrypto_Usage_Entry_Status {
 typedef enum OEMCrypto_LicenseType {
   OEMCrypto_ContentLicense = 0,
   OEMCrypto_EntitlementLicense = 1,
-  OEMCrypto_LicenstType_MaxValue = OEMCrypto_EntitlementLicense,
+  OEMCrypto_LicenseType_MaxValue = OEMCrypto_EntitlementLicense,
 } OEMCrypto_LicenseType;
 
 /* Private key type used in the provisioning response. */
@@ -136,6 +151,62 @@ typedef struct {
   size_t length;
 } OEMCrypto_Substring;
 
+/**
+ * Used to specify information about CMI Descriptor 0.
+ * @param id: ID value of CMI Descriptor assigned by DTLA.
+ * @param length: byte length of the usage rules field.
+ * @param data: usage rules data.
+ */
+typedef struct {
+  uint8_t id;         // 0x00
+  uint8_t extension;  // 0x00
+  uint16_t length;    // 0x01
+  uint8_t data;
+} OEMCrypto_DTCP2_CMI_Descriptor_0;
+
+/**
+ * Used to specify information about CMI Descriptor 1.
+ * @param id: ID value of CMI Descriptor assigned by DTLA.
+ * @param extension: specified by the CMI descriptor
+ * @param length: byte length of the usage rules field.
+ * @param data: usage rules data.
+ */
+typedef struct {
+  uint8_t id;         // 0x01
+  uint8_t extension;  // 0x00
+  uint16_t length;    // 0x03
+  uint8_t data[3];
+} OEMCrypto_DTCP2_CMI_Descriptor_1;
+
+/**
+ * Used to specify information about CMI Descriptor 2.
+ * @param id: ID value of CMI Descriptor assigned by DTLA.
+ * @param extension: specified by the CMI descriptor
+ * @param length: byte length of the usage rules field.
+ * @param data: usage rules data.
+ */
+typedef struct {
+  uint8_t id;         // 0x02
+  uint8_t extension;  // 0x00
+  uint16_t length;    // 0x03
+  uint8_t data[3];
+} OEMCrypto_DTCP2_CMI_Descriptor_2;
+
+/**
+ *  Used to specify the required DTCP2 level. If dtcp2_required is 0, there are
+ *  no requirements on any of the keys. If dtcp2_required is 1, any key with the
+ *  kControlHDCPRequired bit set requires DTCP2 in its output.
+ * @param dtcp2_required: specifies whether dtcp2 is required. 0 = not required,
+ *        1 = DTCP2 required.
+ * @param cmi_descriptor_1: three bytes of CMI descriptor 1
+ */
+typedef struct {
+  uint8_t dtcp2_required;  // 0 = not required. 1 = DTCP2 v1 required.
+  OEMCrypto_DTCP2_CMI_Descriptor_0 cmi_descriptor_0;
+  OEMCrypto_DTCP2_CMI_Descriptor_1 cmi_descriptor_1;
+  OEMCrypto_DTCP2_CMI_Descriptor_2 cmi_descriptor_2;
+} OEMCrypto_DTCP2_CMI_Packet;
+
 /**
  *  Points to the relevant fields for a content key. The fields are extracted
  *  from the License Response message offered to OEMCrypto_LoadKeys(). Each

oemcrypto/odk/include/core_message_deserialize.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 /*********************************************************************
@@ -17,6 +17,8 @@
 #ifndef WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_DESERIALIZE_H_
 #define WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_DESERIALIZE_H_
 
+#include <string>
+
 #include "core_message_types.h"
 
 namespace oemcrypto_core_message {
@@ -53,6 +55,18 @@ bool CoreProvisioningRequestFromMessage(
     const std::string& oemcrypto_core_message,
     ODK_ProvisioningRequest* core_provisioning_request);
 
+/**
+ * Counterpart (deserializer) of ODK_PrepareCoreRenewedProvisioningRequest
+ * (serializer)
+ *
+ * Parameters:
+ *   [in] oemcrypto_core_message
+ *   [out] core_provisioning_request
+ */
+bool CoreRenewedProvisioningRequestFromMessage(
+    const std::string& oemcrypto_core_message,
+    ODK_ProvisioningRequest* core_provisioning_request);
+
 /**
  * Serializer counterpart is not used and is therefore not implemented.
  *

oemcrypto/odk/include/core_message_features.h

@@ -0,0 +1,44 @@
+// Copyright 2021 Google LLC. All rights reserved. This file and proprietary
+// source code may only be used and distributed under the Widevine
+// License Agreement.
+
+#ifndef WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_FEATURES_H_
+#define WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_FEATURES_H_
+
+#include <stdint.h>
+
+#include <iostream>
+#include <string>
+
+namespace oemcrypto_core_message {
+namespace features {
+
+// Features that may be supported by core messages. By restricting values in
+// this structure, we can turn off features at runtime. This is plain data, and
+// is essentially a version number.
+struct CoreMessageFeatures {
+  // A default set of features.
+  static const CoreMessageFeatures kDefaultFeatures;
+
+  // Create the default feature set for the given major version number.
+  static CoreMessageFeatures DefaultFeatures(uint32_t maximum_major_version);
+
+  // This is the published version of the ODK Core Message library. The default
+  // behavior is for the server to restrict messages to at most this version
+  // number. The default is 16.5, the last version used by Chrome. This will
+  // change to 17.0 when v17 has been released.
+  uint32_t maximum_major_version = 17;
+  uint32_t maximum_minor_version = 0;
+
+  bool operator==(const CoreMessageFeatures &other) const;
+  bool operator!=(const CoreMessageFeatures &other) const {
+    return !(*this == other);
+  }
+};
+
+std::ostream &operator<<(std::ostream &os, const CoreMessageFeatures &features);
+
+}  // namespace features
+}  // namespace oemcrypto_core_message
+
+#endif  // WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_FEATURES_H_

oemcrypto/odk/include/core_message_serialize.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 /*********************************************************************
@@ -17,23 +17,29 @@
 #ifndef WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_SERIALIZE_H_
 #define WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_SERIALIZE_H_
 
+#include <string>
+
+#include "core_message_features.h"
 #include "core_message_types.h"
 #include "odk_structs.h"
 
 namespace oemcrypto_core_message {
 namespace serialize {
+using oemcrypto_core_message::features::CoreMessageFeatures;
 
 /**
  * Counterpart (serializer) of ODK_ParseLicense (deserializer)
  * struct-input variant
  *
  * Parameters:
+ *   [in] features feature support for response message.
  *   [in] parsed_lic
  *   [in] core_request
  *   [in] core_request_sha256
  *   [out] oemcrypto_core_message
  */
-bool CreateCoreLicenseResponse(const ODK_ParsedLicense& parsed_lic,
+bool CreateCoreLicenseResponse(const CoreMessageFeatures& features,
+                               const ODK_ParsedLicense& parsed_lic,
                                const ODK_LicenseRequest& core_request,
                                const std::string& core_request_sha256,
                                std::string* oemcrypto_core_message);
@@ -42,11 +48,13 @@ bool CreateCoreLicenseResponse(const ODK_ParsedLicense& parsed_lic,
  * Counterpart (serializer) of ODK_ParseRenewal (deserializer)
  *
  * Parameters:
+ *   [in] features feature support for response message.
  *   [in] core_request
  *   [in] renewal_duration_seconds
  *   [out] oemcrypto_core_message
  */
-bool CreateCoreRenewalResponse(const ODK_RenewalRequest& core_request,
+bool CreateCoreRenewalResponse(const CoreMessageFeatures& features,
+                               const ODK_RenewalRequest& core_request,
                                uint64_t renewal_duration_seconds,
                                std::string* oemcrypto_core_message);
 
@@ -55,11 +63,13 @@ bool CreateCoreRenewalResponse(const ODK_RenewalRequest& core_request,
  * struct-input variant
  *
  * Parameters:
+ *   [in] features feature support for response message.
  *   [in] parsed_prov
  *   [in] core_request
  *   [out] oemcrypto_core_message
  */
-bool CreateCoreProvisioningResponse(const ODK_ParsedProvisioning& parsed_prov,
+bool CreateCoreProvisioningResponse(const CoreMessageFeatures& features,
+                                    const ODK_ParsedProvisioning& parsed_prov,
                                     const ODK_ProvisioningRequest& core_request,
                                     std::string* oemcrypto_core_message);
 }  // namespace serialize

oemcrypto/odk/include/core_message_serialize_proto.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 /*********************************************************************
@@ -17,18 +17,19 @@
 #include <cstdint>
 #include <string>
 
+#include "core_message_features.h"
 #include "core_message_types.h"
 #include "license_protocol.pb.h"
 
 namespace oemcrypto_core_message {
 namespace serialize {
-
 // @ public create response (serializer) functions accepting proto input
 
 /**
  * Counterpart (serializer) of ODK_ParseLicense (deserializer)
  *
  * Parameters:
+ *   [in] features feature support for response message.
  *   [in] serialized_license
           serialized video_widevine::License
  *   [in] core_request oemcrypto core message from request.
@@ -37,23 +38,25 @@ namespace serialize {
  *   [in] uses_padding - if the keys use padding.
  *   [out] oemcrypto_core_message - the serialized oemcrypto core response.
  */
-bool CreateCoreLicenseResponseFromProto(const std::string& serialized_license,
-                                        const ODK_LicenseRequest& core_request,
-                                        const std::string& core_request_sha256,
-                                        const bool nonce_required,
-                                        const bool uses_padding,
-                                        std::string* oemcrypto_core_message);
+bool CreateCoreLicenseResponseFromProto(
+    const oemcrypto_core_message::features::CoreMessageFeatures& features,
+    const std::string& serialized_license,
+    const ODK_LicenseRequest& core_request,
+    const std::string& core_request_sha256, const bool nonce_required,
+    const bool uses_padding, std::string* oemcrypto_core_message);
 
 /**
  * Counterpart (serializer) of ODK_ParseProvisioning (deserializer)
  *
  * Parameters:
+ *   [in] features feature support for response message.
  *   [in] serialized_provisioning_response
  *        serialized video_widevine::ProvisioningResponse
  *   [in] core_request
  *   [out] oemcrypto_core_message
  */
 bool CreateCoreProvisioningResponseFromProto(
+    const oemcrypto_core_message::features::CoreMessageFeatures& features,
     const std::string& serialized_provisioning_response,
     const ODK_ProvisioningRequest& core_request,
     std::string* oemcrypto_core_message);

oemcrypto/odk/include/core_message_types.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 // clang-format off
@@ -96,7 +96,8 @@ struct ODK_RenewalRequest {
 };
 
 /**
- * Output structure for CoreProvisioningRequestFromMessage
+ * Output structure for CoreProvisioningRequestFromMessage and
+ * CoreRenewedProvisioningRequestFromMessage
  * Input structure for CreateCoreProvisioningResponse
  */
 struct ODK_ProvisioningRequest {
@@ -105,6 +106,8 @@ struct ODK_ProvisioningRequest {
   uint32_t nonce;
   uint32_t session_id;
   std::string device_id;
+  uint16_t renewal_type;
+  std::string renewal_data;
 };
 
 }  // namespace oemcrypto_core_message

oemcrypto/odk/include/odk.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 /**
@@ -132,11 +132,11 @@ OEMCryptoResult ODK_InitializeClockValues(ODK_ClockValues* clock_values,
  * This function sets the values in the clock_values structure. It shall be
  * called from OEMCrypto_LoadUsageEntry. When a usage entry from a v15 or
  * earlier license is loaded, the value time_of_license_loaded shall be used
- * in place of time_of_license_signed.
+ * in place of time_of_license_request_signed.
  *
  * @param[in,out]  clock_values: the session's clock data.
- * @param[in] time_of_license_signed: the value time_license_received from the
- *       loaded usage entry.
+ * @param[in] time_of_license_request_signed: the value time_license_received
+ *       from the loaded usage entry.
  * @param[in] time_of_first_decrypt: the value time_of_first_decrypt from the
  *       loaded usage entry.
  * @param[in] time_of_last_decrypt: the value time_of_last_decrypt from the
@@ -152,7 +152,7 @@ OEMCryptoResult ODK_InitializeClockValues(ODK_ClockValues* clock_values,
  * This method is new in version 16 of the API.
  */
 OEMCryptoResult ODK_ReloadClockValues(ODK_ClockValues* clock_values,
-                                      uint64_t time_of_license_signed,
+                                      uint64_t time_of_license_request_signed,
                                       uint64_t time_of_first_decrypt,
                                       uint64_t time_of_last_decrypt,
                                       enum OEMCrypto_Usage_Entry_Status status,
@@ -326,7 +326,7 @@ OEMCryptoResult ODK_PrepareCoreRenewalRequest(uint8_t* message,
  * OEMCrypto_GetDeviceID. The device ID shall be unique to the device, and
  * stable across reboots and factory resets for an L1 device.
  *
- * NOTE: if the message pointer is null and/or input core_message_size is
+ * NOTE: if the message pointer is null and/or input core_message_length is
  * zero, this function returns OEMCrypto_ERROR_SHORT_BUFFER and sets output
  * core_message_size to the size needed.
  *
@@ -351,10 +351,56 @@ OEMCryptoResult ODK_PrepareCoreRenewalRequest(uint8_t* message,
  * This method is new in version 16 of the API.
  */
 OEMCryptoResult ODK_PrepareCoreProvisioningRequest(
-    uint8_t* message, size_t message_length, size_t* core_message_size,
+    uint8_t* message, size_t message_length, size_t* core_message_length,
     const ODK_NonceValues* nonce_values, const uint8_t* device_id,
     size_t device_id_length);
 
+/**
+ * Modifies the message to include a core renewal provisioning request at the
+ * beginning of the message buffer. The values in nonce_values are used to
+ * populate the message.
+ *
+ * This shall be called by OEMCrypto from
+ * OEMCrypto_PrepAndSignProvisioningRequest.
+ *
+ * The buffer device_id shall be the same string returned by
+ * OEMCrypto_GetDeviceID. The device ID shall be unique to the device, and
+ * stable across reboots and factory resets for an L1 device.
+ *
+ * NOTE: if the message pointer is null and/or input core_message_length is
+ * zero, this function returns OEMCrypto_ERROR_SHORT_BUFFER and sets output
+ * core_message_size to the size needed.
+ *
+ * @param[in,out] message: pointer to memory for the entire message. Modified by
+ *       the ODK library.
+ * @param[in] message_length: length of the entire message buffer.
+ * @param[in,out] core_message_size: length of the core message at the beginning
+ *       of the message. (in) size of buffer reserved for the core message, in
+ *       bytes. (out) actual length of the core message, in bytes.
+ * @param[in] nonce_values: pointer to the session's nonce data.
+ * @param[in] device_id: For devices with a keybox, this is the device ID from
+ *       the keybox. For devices with an OEM Certificate, this is a device
+ *       unique id string.
+ * @param[in] device_id_length: length of device_id. The device ID can be at
+ *       most 64 bytes.
+ * @param[in] renewal_type: type of renewal used
+ * @param[in] renewal_data: renewal data used. For renewal_type = 1,
+ *       renewal_data is the Android attestation batch certificate.
+ * @param[in] renewal_data_length: length of renewal_data
+ *
+ * @retval OEMCrypto_SUCCESS
+ * @retval OEMCrypto_ERROR_SHORT_BUFFER: core_message_size is too small
+ * @retval OEMCrypto_ERROR_INVALID_CONTEXT
+ *
+ * @version
+ * This method is new in version 17 of the API.
+ */
+OEMCryptoResult ODK_PrepareCoreRenewedProvisioningRequest(
+    uint8_t* message, size_t message_length, size_t* core_message_length,
+    const ODK_NonceValues* nonce_values, const uint8_t* device_id,
+    size_t device_id_length, uint16_t renewal_type, const uint8_t* renewal_data,
+    size_t renewal_data_length);
+
 /// @}
 
 /// @addtogroup odk_timer
@@ -469,8 +515,6 @@ OEMCryptoResult ODK_RefreshV15Values(const ODK_TimerLimits* timer_limits,
  *       and false when called for OEMCrypto_ReloadLicense.
  * @param[in] usage_entry_present: true if the session has a new usage entry
  *       associated with it created via OEMCrypto_CreateNewUsageEntry.
- * @param[in] request_hash: the hash of the license request core message. This
- *       was computed by OEMCrypto when the license request was signed.
  * @param[in,out] timer_limits: The session's timer limits. These will be
  *       updated.
  * @param[in,out] clock_values: The session's clock values. These will be
@@ -492,7 +536,6 @@ OEMCryptoResult ODK_RefreshV15Values(const ODK_TimerLimits* timer_limits,
 OEMCryptoResult ODK_ParseLicense(
     const uint8_t* message, size_t message_length, size_t core_message_length,
     bool initial_license_load, bool usage_entry_present,
-    const uint8_t request_hash[ODK_SHA256_HASH_SIZE],
     ODK_TimerLimits* timer_limits, ODK_ClockValues* clock_values,
     ODK_NonceValues* nonce_values, ODK_ParsedLicense* parsed_license);
 
@@ -598,6 +641,20 @@ OEMCryptoResult ODK_ParseProvisioning(
     const ODK_NonceValues* nonce_values, const uint8_t* device_id,
     size_t device_id_length, ODK_ParsedProvisioning* parsed_response);
 
+/**
+ * The function ODK_ParseProvisioning will parse the message and verify the
+ * API version is at most the version passed in.
+ *
+ * @param[in] nonce_values: pointer to the session's nonce data.
+ * @param[in] major_versioh: current API major version.
+ * @param[in] minor_version: current API minor version.
+ *
+ * @version
+ * This method is new in version 17 of the API.
+ */
+bool CheckApiVersionAtMost(const ODK_NonceValues* nonce_values,
+                           uint16_t major_version, uint16_t minor_version);
+
 /// @}
 
 #ifdef __cplusplus

oemcrypto/odk/include/odk_attributes.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 #ifndef WIDEVINE_ODK_INCLUDE_ODK_ATTRIBUTES_H_

oemcrypto/odk/include/odk_message.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 #ifndef WIDEVINE_ODK_INCLUDE_ODK_MESSAGE_H_
@@ -17,21 +17,21 @@ extern "C" {
  * ODK_Message is the structure that defines the serialized messages passed
  * between the REE and TEE. ODK_Message is an abstract data type that represents
  * the concept of a message without disclosing the implementation details.  By
- * hiding the internal structure, arbitrary modification to the message fields
- * by code that is not privy to the message definition can be prevented.  By
- * restricting message modification it is possible to enforce message validity
- * and integrity with a small set of primitives that can be careful reviewed.
- * This is important because it allows the assertion to be made that a message's
- * fields are internally consistent after every operation.  As an example, it
- * can be guaranteed that the message status be checked prior to accessing any
- * field, and that the status be set to the proper state when any parse error is
- * detected. If the message definition was exposed, there could be fundamental
- * yet subtle errors in message manipulation anywhere in the code base.  It also
- * makes development easier since any access to the message structure can be
- * tracked through a single point so, for example, it becomes possible to add
- * trace statements globally to all message operations by only changing the
- * field accessors. Finally it simplies maintentance by localizing changes to
- * the message to a few files.
+ * hiding the internal structure, modification of the message fields by code
+ * that is not privy to the message definition can be prevented.  If the message
+ * definition was exposed, there could be serious yet subtle errors in message
+ * manipulation anywhere in the code base.  By restricting message modification
+ * it is possible to enforce validity and integrity with a small set of
+ * primitives that can be carefully reviewed. Checks can be added to verify that
+ * a message's fields are internally consistent before every operation. As an
+ * example, it can be guaranteed that the message status will be checked prior
+ * to accessing any field so parsing will be stopped when the message status is
+ * set after any parse error is detected.  This also makes development easier
+ * since any access to the message structure can be tracked through a single
+ * point so, for example, it becomes possible to add trace statements globally
+ * to all message operations by only changing the field accessors. Finally it
+ * simplifies maintenance by localizing changes to the message structure to a
+ * few files.
  */
 
 #if defined(__GNUC__) || defined(__clang__)
@@ -48,17 +48,20 @@ typedef struct {
 } ALIGNED ODK_Message;
 
 typedef enum {
-  MESSAGE_STATUS_OK = 0xe937fcf7,
-  MESSAGE_STATUS_UNKNOWN_ERROR = 0xe06c1190,
-  MESSAGE_STATUS_OVERFLOW_ERROR = 0xc43ae4bc,
+  MESSAGE_STATUS_OK = 0x7937fcf7,
+  MESSAGE_STATUS_UNKNOWN_ERROR = 0x706c1190,
+  MESSAGE_STATUS_OVERFLOW_ERROR = 0x543ae4bc,
   MESSAGE_STATUS_UNDERFLOW_ERROR = 0x7123cd0b,
   MESSAGE_STATUS_PARSE_ERROR = 0x0b9f6189,
   MESSAGE_STATUS_NULL_POINTER_ERROR = 0x2d66837a,
   MESSAGE_STATUS_API_VALUE_ERROR = 0x6ba34f47,
-  MESSAGE_STATUS_END_OF_MESSAGE_ERROR = 0x998db72a,
-  MESSAGE_STATUS_INVALID_ENUM_VALUE = 0xedb88197,
+  MESSAGE_STATUS_END_OF_MESSAGE_ERROR = 0x798db72a,
+  MESSAGE_STATUS_INVALID_ENUM_VALUE = 0x7db88197,
   MESSAGE_STATUS_INVALID_TAG_ERROR = 0x14dce06a,
-  MESSAGE_STATUS_NOT_INITIALIZED = 0x2990b6c6
+  MESSAGE_STATUS_NOT_INITIALIZED = 0x2990b6c6,
+  MESSAGE_STATUS_OUT_OF_MEMORY = 0x7c5c64cc,
+  MESSAGE_STATUS_MAP_SHARED_MEMORY_FAILED = 0x7afecacf,
+  MESSAGE_STATUS_SECURE_BUFFER_ERROR = 0x78f0e873
 } ODK_MessageStatus;
 
 /*

oemcrypto/odk/include/odk_structs.h

@@ -1,24 +1,25 @@
 // Copyright 2019 Google LLC. All rights reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 #ifndef WIDEVINE_ODK_INCLUDE_ODK_STRUCTS_H_
 #define WIDEVINE_ODK_INCLUDE_ODK_STRUCTS_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #include <stdint.h>
 
 #include "OEMCryptoCENCCommon.h"
 #include "odk_target.h"
 
 /* The version of this library. */
-#define ODK_MAJOR_VERSION 16
-#define ODK_MINOR_VERSION 5
+#define ODK_MAJOR_VERSION 17
+#define ODK_MINOR_VERSION 1
 
 /* ODK Version string. Date changed automatically on each release. */
-// TODO(b/163416999): Remove the following line when we upgrade to v17.
-// The version 16.5 should not be used by any CE CDM release.
-#define ODK_RELEASE_DATE "ODK v16.5 (ALCATRAZ ONLY) 2021-01-22"
-// #define ODK_RELEASE_DATE "ODK v17.0 2021-01-22"
+#define ODK_RELEASE_DATE "ODK v17.1 2022-06-17"
 
 /* The lowest version number for an ODK message. */
 #define ODK_FIRST_VERSION 16
@@ -26,6 +27,7 @@
 /* Some useful constants. */
 #define ODK_DEVICE_ID_LEN_MAX 64
 #define ODK_SHA256_HASH_SIZE 32
+#define ODK_KEYBOX_RENEWAL_DATA_SIZE 1600
 
 /// @addtogroup odk_timer
 /// @{
@@ -88,9 +90,9 @@ typedef struct {
  * on OEMCrypto's system clock, as described in the document "License
  * Duration and Renewal".
  *
- * @param time_of_license_signed: Time that the license request was signed,
- *        based on OEMCrypto's system clock. This value shall be stored and
- *        reloaded with usage entry as time_of_license_received.
+ * @param time_of_license_request_signed: Time that the license request was
+ *        signed, based on OEMCrypto's system clock. This value shall be stored
+ *        and reloaded with usage entry as time_of_license_received.
  * @param time_of_first_decrypt: Time of the first decrypt or call select key,
  *        based on OEMCrypto's system clock. This is 0 if the license has not
  *        been used to decrypt any data. This value shall be stored and reloaded
@@ -113,7 +115,7 @@ typedef struct {
  * This struct changed in API version 16.2.
  */
 typedef struct {
-  uint64_t time_of_license_signed;
+  uint64_t time_of_license_request_signed;
   uint64_t time_of_first_decrypt;
   uint64_t time_of_last_decrypt;
   uint64_t time_of_renewal_request;
@@ -174,11 +176,13 @@ typedef struct {
  *        entitlement keys.
  * @param nonce_required: indicates if the license requires a nonce.
  * @param timer_limits: time limits of the for the license.
+ * @param watermarking: specifies if device supports watermarking.
+ * @param dtcp2_required: specifies if device supports DTCP.
  * @param key_array_length: number of keys present.
  * @param key_array: set of keys to be installed.
  *
  * @version
- * This struct changed in API version 16.2.
+ * This struct changed in API version 17.
  */
 typedef struct {
   OEMCrypto_Substring enc_mac_keys_iv;
@@ -188,6 +192,8 @@ typedef struct {
   OEMCrypto_LicenseType license_type;
   bool nonce_required;
   ODK_TimerLimits timer_limits;
+  uint32_t watermarking;
+  OEMCrypto_DTCP2_CMI_Packet dtcp2_required;
   uint32_t key_array_length;
   OEMCrypto_KeyObject key_array[ODK_MAX_NUM_KEYS];
 } ODK_ParsedLicense;
@@ -215,4 +221,8 @@ typedef struct {
 
 /// @}
 
+#ifdef __cplusplus
+}  // extern "C"
+#endif
+
 #endif  // WIDEVINE_ODK_INCLUDE_ODK_STRUCTS_H_

oemcrypto/odk/include/odk_target.h

@@ -1,5 +1,5 @@
 // Copyright 2019 Google LLC. All rights reserved. This file is distributed
-// under the Widevine Master License Agreement.
+// under the Widevine License Agreement.
 
 // Partners are expected to edit this file to support target specific code
 // and limits.