Enable authentication of the header as an optional WebRTC trial.
TBR=asapersson@webrtc.org
Bug: webrtc:10103
Change-Id: I3dce3cd06afab62cc30761395299dbb1c02ae444
Reviewed-on: https://webrtc-review.googlesource.com/c/113464
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Reviewed-by: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#25938}
diff --git a/modules/rtp_rtcp/source/rtp_sender_video.cc b/modules/rtp_rtcp/source/rtp_sender_video.cc
index bb4faa0..ec65a45 100644
--- a/modules/rtp_rtcp/source/rtp_sender_video.cc
+++ b/modules/rtp_rtcp/source/rtp_sender_video.cc
@@ -32,6 +32,7 @@
#include "rtc_base/checks.h"
#include "rtc_base/logging.h"
#include "rtc_base/trace_event.h"
+#include "system_wrappers/include/field_trial.h"
namespace webrtc {
@@ -170,7 +171,9 @@
fec_bitrate_(1000, RateStatistics::kBpsScale),
video_bitrate_(1000, RateStatistics::kBpsScale),
frame_encryptor_(frame_encryptor),
- require_frame_encryption_(require_frame_encryption) {}
+ require_frame_encryption_(require_frame_encryption),
+ generic_descriptor_auth_experiment_(
+ field_trial::IsEnabled("WebRTC-GenericDescriptorAuth")) {}
RTPSenderVideo::~RTPSenderVideo() {}
@@ -511,9 +514,15 @@
encrypted_video_payload.SetSize(max_ciphertext_size);
size_t bytes_written = 0;
+
+ // Only enable header authentication if the field trial is enabled.
+ rtc::ArrayView<const uint8_t> additional_data;
+ if (generic_descriptor_auth_experiment_) {
+ additional_data = generic_descriptor_raw;
+ }
+
if (frame_encryptor_->Encrypt(
- cricket::MEDIA_TYPE_VIDEO, first_packet->Ssrc(),
- generic_descriptor_raw,
+ cricket::MEDIA_TYPE_VIDEO, first_packet->Ssrc(), additional_data,
rtc::MakeArrayView(payload_data, payload_size),
encrypted_video_payload, &bytes_written) != 0) {
return false;
diff --git a/modules/rtp_rtcp/source/rtp_sender_video.h b/modules/rtp_rtcp/source/rtp_sender_video.h
index 30f7674..3e6dfd5 100644
--- a/modules/rtp_rtcp/source/rtp_sender_video.h
+++ b/modules/rtp_rtcp/source/rtp_sender_video.h
@@ -171,6 +171,8 @@
// initialized frame_encryptor_ before being sent out of the network.
// Otherwise these payloads will be dropped.
bool require_frame_encryption_;
+ // Set to true if the generic descriptor should be authenticated.
+ const bool generic_descriptor_auth_experiment_;
};
} // namespace webrtc
diff --git a/video/buffered_frame_decryptor.cc b/video/buffered_frame_decryptor.cc
index daff129..1f69195 100644
--- a/video/buffered_frame_decryptor.cc
+++ b/video/buffered_frame_decryptor.cc
@@ -14,13 +14,16 @@
#include "rtc_base/logging.h"
#include "rtc_base/system/fallthrough.h"
+#include "system_wrappers/include/field_trial.h"
namespace webrtc {
BufferedFrameDecryptor::BufferedFrameDecryptor(
OnDecryptedFrameCallback* decrypted_frame_callback,
rtc::scoped_refptr<FrameDecryptorInterface> frame_decryptor)
- : frame_decryptor_(std::move(frame_decryptor)),
+ : generic_descriptor_auth_experiment_(
+ field_trial::IsEnabled("WebRTC-GenericDescriptorAuth")),
+ frame_decryptor_(std::move(frame_decryptor)),
decrypted_frame_callback_(decrypted_frame_callback) {}
BufferedFrameDecryptor::~BufferedFrameDecryptor() {}
@@ -69,12 +72,19 @@
// Place the decrypted frame inline into the existing frame.
rtc::ArrayView<uint8_t> inline_decrypted_bitstream(frame->MutableBuffer(),
max_plaintext_byte_size);
+
+ // Only enable authenticating the header if the field trial is enabled.
+ rtc::ArrayView<const uint8_t> additional_data;
+ if (generic_descriptor_auth_experiment_) {
+ additional_data = descriptor->GetByteRepresentation();
+ }
+
// Attempt to decrypt the video frame.
size_t bytes_written = 0;
- if (frame_decryptor_->Decrypt(
- cricket::MEDIA_TYPE_VIDEO, /*csrcs=*/{},
- descriptor->GetByteRepresentation(), encrypted_frame_bitstream,
- inline_decrypted_bitstream, &bytes_written) != 0) {
+ if (frame_decryptor_->Decrypt(cricket::MEDIA_TYPE_VIDEO, /*csrcs=*/{},
+ additional_data, encrypted_frame_bitstream,
+ inline_decrypted_bitstream,
+ &bytes_written) != 0) {
// Only stash frames if we have never decrypted a frame before.
return first_frame_decrypted_ ? FrameDecision::kDrop
: FrameDecision::kStash;
diff --git a/video/buffered_frame_decryptor.h b/video/buffered_frame_decryptor.h
index be6ff9a..28a0b55 100644
--- a/video/buffered_frame_decryptor.h
+++ b/video/buffered_frame_decryptor.h
@@ -69,6 +69,7 @@
static const size_t kMaxStashedFrames = 24;
+ const bool generic_descriptor_auth_experiment_;
bool first_frame_decrypted_ = false;
const rtc::scoped_refptr<FrameDecryptorInterface> frame_decryptor_;
OnDecryptedFrameCallback* const decrypted_frame_callback_;