add failure tolerance for framecryptor.

webrtc-sdk · Sep 9, 2023 · 6afb155 · 6afb155
1 parent 31774d3
commit 6afb155
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 9 deletions.
diff --git a/api/crypto/frame_crypto_transformer.cc b/api/crypto/frame_crypto_transformer.cc
@@ -219,7 +219,7 @@ int AesGcmEncryptDecrypt(EncryptOrDecrypt mode,
   }
 
   if (!ok) {
-    RTC_LOG(LS_ERROR) << "Failed to perform AES-GCM operation.";
+    RTC_LOG(LS_WARNING) << "Failed to perform AES-GCM operation.";
     return OperationError;
   }
 
@@ -593,7 +593,7 @@ void FrameCryptorTransformer::decryptFrame(
           decryption_success = true;
           // success, so we set the new key
           key_handler->SetKeyFromMaterial(new_material, key_index);
-          key_handler->SetHasValidKey(true);
+          key_handler->SetHasValidKey();
           if (last_dec_error_ != FrameCryptionState::kKeyRatcheted) {
             last_dec_error_ = FrameCryptionState::kKeyRatcheted;
             if (observer_)
@@ -622,7 +622,7 @@ void FrameCryptorTransformer::decryptFrame(
   if (!decryption_success) {
     if (last_dec_error_ != FrameCryptionState::kDecryptionFailed) {
       last_dec_error_ = FrameCryptionState::kDecryptionFailed;
-      key_handler->SetHasValidKey(false);
+      key_handler->DecryptionFailure();
       if (observer_)
         observer_->OnFrameCryptionStateChanged(participant_id_,
                                                last_dec_error_);

diff --git a/api/crypto/frame_crypto_transformer.h b/api/crypto/frame_crypto_transformer.h
@@ -41,12 +41,14 @@ struct KeyProviderOptions {
   std::vector<uint8_t> ratchet_salt;
   std::vector<uint8_t> uncrypted_magic_bytes;
   int ratchet_window_size;
-  KeyProviderOptions() : shared_key(false), ratchet_window_size(0) {}
+  int failure_tolerance;
+  KeyProviderOptions() : shared_key(false), ratchet_window_size(0), failure_tolerance(-1) {}
   KeyProviderOptions(KeyProviderOptions& copy)
       : shared_key(copy.shared_key),
         ratchet_salt(copy.ratchet_salt),
         uncrypted_magic_bytes(copy.uncrypted_magic_bytes),
-        ratchet_window_size(copy.ratchet_window_size) {}
+        ratchet_window_size(copy.ratchet_window_size),
+        failure_tolerance(copy.failure_tolerance) {}
 };
 
 class KeyProvider : public rtc::RefCountInterface {
@@ -116,7 +118,7 @@ class ParticipantKeyHandler {
     }
     SetKeyFromMaterial(new_material,
                        key_index != -1 ? key_index : current_key_index_);
-    SetHasValidKey(true);
+    SetHasValidKey();
     return new_material;
   }
 
@@ -127,7 +129,7 @@ class ParticipantKeyHandler {
 
   virtual void SetKey(std::vector<uint8_t> password, int key_index) {
     SetKeyFromMaterial(password, key_index);
-    SetHasValidKey(true);
+    SetHasValidKey();
   }
 
   std::vector<uint8_t> RatchetKeyMaterial(
@@ -156,9 +158,10 @@ class ParticipantKeyHandler {
     return has_valid_key_;
   }
 
-  void SetHasValidKey(bool has_valid_key) {
+  void SetHasValidKey() {
     webrtc::MutexLock lock(&mutex_);
-    has_valid_key_ = has_valid_key;
+    decryption_failure_count_ = 0;
+    has_valid_key_ = true;
   }
 
   void SetKeyFromMaterial(std::vector<uint8_t> password, int key_index) {
@@ -170,8 +173,21 @@ class ParticipantKeyHandler {
         DeriveKeys(password, key_provider_->options().ratchet_salt, 128);
   }
 
+  void DecryptionFailure() {
+    webrtc::MutexLock lock(&mutex_);
+    if (key_provider_->options().failure_tolerance < 0) {
+      return;
+    }
+    decryption_failure_count_ += 1;
+
+    if (decryption_failure_count_ > key_provider_->options().failure_tolerance) {
+      has_valid_key_ = false;
+    }
+  }
+
  private:
   bool has_valid_key_ = false;
+  int decryption_failure_count_ = 0;
   mutable webrtc::Mutex mutex_;
   int current_key_index_ = 0;
   KeyProvider* key_provider_;