fix(audit): address C2, C3, M4, M5 from 2026-05-25 audit

C2: Add EncryptingTransport wrapper — all media I/O now goes through
ChaChaSession encrypt/decrypt before hitting the QUIC datagram path.
cli.rs run_live/run_silence/run_file_mode accept Arc<dyn MediaTransport>
and receive a wrapped transport after the handshake.

C3: Wire VideoScorer::observe() into both plain and trunked forwarding
loops in room.rs. Packets from participants with Abusive verdict are
dropped before forwarding. last_bwe_kbps tracked from quality reports.

M4: Widen FEC repair symbol index from u8 to u16 throughout
(FecEncoder::generate_repair, FecDecoder::add_symbol, all call sites in
call.rs, bench.rs, pipeline.rs, wzp-android). Eliminates theoretical
wrapping when num_source + repair_count > 255.

M5: Track last_encrypt_timestamp in ChaChaSession. debug_assert in
encrypt() that timestamp is non-decreasing across calls (including post-
rekey). complete_rekey() explicitly preserves last_encrypt_timestamp to
prevent accidental timestamp reset regressions.

583 tests passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Siavash Sameni
2026-05-25 06:20:05 +04:00
parent 15af58a95d
commit 52a6f5e048
13 changed files with 299 additions and 29 deletions

View File

@@ -796,7 +796,7 @@ async fn run_call(
),
seq: rs,
timestamp: t,
fec_block: ((sym_idx as u16) << 8) | (block_id as u16),
fec_block: (sym_idx << 8) | (block_id as u16),
},
payload: Bytes::from(repair_data),
quality_report: None,
@@ -949,7 +949,7 @@ async fn run_call(
let is_repair = pkt.header.is_repair();
let pkt_block = pkt.header.fec_block as u8;
let pkt_symbol = (pkt.header.fec_block >> 8) as u8;
let pkt_symbol = pkt.header.fec_block >> 8;
let pkt_is_opus = pkt.header.codec_id.is_opus();
// Phase 2: Opus packets bypass RaptorQ entirely — DRED