e2ee: introduce per-participant randomly generated keys

This the second stage in our E2EE journey.

Instead of using a single pre-shared passphrase for deriving the key used for
E2EE, we now establish a secure E2EE communication channel amongst peers.

This channel is implemented using libolm, using XMPP groupchat or JVB channels
as the transport.

Once the secure E2EE channel has been established each participant will generate
a random 32 byte key and exchange it over this channel.

Keys are rotated (well, just re-created at the moment) when a participant joins
or leaves.

JitsiConference.js

@@ -241,6 +241,15 @@ export default function JitsiConference(options) {
      * @private
      */
     this._conferenceJoinAnalyticsEventSent = undefined;
+
+    /**
+     * End-to-End Encryption. Make it available if supported.
+     */
+    if (this.isE2EESupported()) {
+        logger.info('End-to-End Encryprtion is supported');
+
+        this._e2eEncryption = new E2EEncryption(this);
+    }
 }
 
 // FIXME convert JitsiConference to ES6 - ASAP !
@@ -1376,9 +1385,7 @@ JitsiConference.prototype.isInLastN = function(participantId) {
  * conference.
  */
 JitsiConference.prototype.getParticipants = function() {
-    return Object.keys(this.participants).map(function(key) {
-        return this.participants[key];
-    }, this);
+    return Object.values(this.participants);
 };
 
 /**
@@ -1910,7 +1917,7 @@ JitsiConference.prototype._acceptJvbIncomingCall = function(
     try {
         jingleSession.initialize(this.room, this.rtc, {
             ...this.options.config,
-            enableInsertableStreams: Boolean(this._e2eEncryption)
+            enableInsertableStreams: this._isE2EEEnabled()
         });
     } catch (error) {
         GlobalOnErrorHandler.callErrorHandler(error);
@@ -2651,7 +2658,7 @@ JitsiConference.prototype._acceptP2PIncomingCall = function(
         this.room,
         this.rtc, {
             ...this.options.config,
-            enableInsertableStreams: Boolean(this._e2eEncryption)
+            enableInsertableStreams: this._isE2EEEnabled()
         });
 
     logger.info('Starting CallStats for P2P connection...');
@@ -3012,7 +3019,7 @@ JitsiConference.prototype._startP2PSession = function(remoteJid) {
         this.room,
         this.rtc, {
             ...this.options.config,
-            enableInsertableStreams: Boolean(this._e2eEncryption)
+            enableInsertableStreams: this._isE2EEEnabled()
         });
 
     logger.info('Starting CallStats for P2P connection...');
@@ -3374,64 +3381,64 @@ JitsiConference.prototype._sendConferenceLeftAnalyticsEvent = function() {
 };
 
 /**
- * Returns whether End-To-End encryption is supported. Note that not all participants
- * in the conference may support it.
+ * Restarts all active media sessions.
  *
- * @returns {boolean}
+ * @returns {void}
  */
-JitsiConference.prototype.isE2EESupported = function() {
-    const config = this.options.config;
+JitsiConference.prototype._restartMediaSessions = function() {
+    if (this.p2pJingleSession) {
+        this.stopP2PSession();
+    }
+
+    if (this.jvbJingleSession) {
+        this.jvbJingleSession.terminate(
+            null /* success callback => we don't care */,
+            error => {
+                logger.warn('An error occurred while trying to terminate the JVB session', error);
+            }, {
+                reason: 'success',
+                reasonDescription: 'restart required',
+                requestRestart: true,
+                sendSessionTerminate: true
+            });
+    }
 
-    return browser.supportsInsertableStreams() && !(config.testing && config.testing.disableE2EE);
+    this._maybeStartOrStopP2P(false);
 };
 
 /**
- * Initializes the E2E encryption module. Currently any active media session muste be restarted due to
- * the limitation that the insertable streams constraint can only be set when a new PeerConnection instance is created.
+ * Returns whether End-To-End encryption is enabled.
  *
- * @private
- * @returns {void}
+ * @returns {boolean}
  */
-JitsiConference.prototype._initializeE2EEncryption = function() {
-    this._e2eEncryption = new E2EEncryption(this, { salt: this.options.name });
-
-    // Need to re-create the peerconnections in order to apply the insertable streams constraint
-    this.p2pJingleSession && this.stopP2PSession();
-
-    const jvbJingleSession = this.jvbJingleSession;
-
-    jvbJingleSession && jvbJingleSession.terminate(
-        null /* success callback => we don't care */,
-        error => {
-            logger.warn(`An error occurred while trying to terminate ${jvbJingleSession}`, error);
-        }, {
-            reason: 'success',
-            reasonDescription: 'restart required',
-            requestRestart: true,
-            sendSessionTerminate: true
-        });
+JitsiConference.prototype._isE2EEEnabled = function() {
+    return this._e2eEncryption && this._e2eEncryption.isEnabled();
+};
 
-    this._maybeStartOrStopP2P(false);
+/**
+ * Returns whether End-To-End encryption is supported. Note that not all participants
+ * in the conference may support it.
+ *
+ * @returns {boolean}
+ */
+JitsiConference.prototype.isE2EESupported = function() {
+    return E2EEncryption.isSupported(this.options.config);
 };
 
 /**
- * Sets the key to be used for End-To-End encryption.
+ * Enables / disables End-to-End encryption.
  *
- * @param {string} key the key to be used.
+ * @param {boolean} enabled whether to enable E2EE or not.
  * @returns {void}
  */
-JitsiConference.prototype.setE2EEKey = function(key) {
+JitsiConference.prototype.toggleE2EE = function(enabled) {
     if (!this.isE2EESupported()) {
-        logger.warn('Cannot set E2EE key: platform is not supported.');
+        logger.warn('Cannot enable / disable E2EE: platform is not supported.');
 
         return;
     }
 
-    if (!this._e2eEncryption) {
-        this._initializeE2EEncryption();
-    }
-
-    this._e2eEncryption.setKey(key);
+    this._e2eEncryption.setEnabled(enabled);
 };
 
 /**

modules/e2ee/E2EEContext.js

@@ -34,7 +34,7 @@ export default class E2EEcontext {
     constructor(options) {
         this._options = options;
 
-        // Figure out the URL for the worker script. Relative URLs are relative to
+        // Determine the URL for the worker script. Relative URLs are relative to
         // the entry point, not the script that launches the worker.
         let baseUrl = '';
         const ljm = document.querySelector('script[src*="lib-jitsi-meet"]');
@@ -59,6 +59,19 @@ export default class E2EEcontext {
         });
     }
 
+    /**
+     * Cleans up all state associated with the given participant. This is needed when a
+     * participant leaves the current conference.
+     *
+     * @param {string} participantId - The participant that just left.
+     */
+    cleanup(participantId) {
+        this._worker.postMessage({
+            operation: 'cleanup',
+            participantId
+        });
+    }
+
     /**
      * Handles the given {@code RTCRtpReceiver} by creating a {@code TransformStream} which will inject
      * a frame decoder.
@@ -124,24 +137,18 @@ export default class E2EEcontext {
     }
 
     /**
-     * Sets the key to be used for E2EE.
+     * Set the E2EE key for the specified participant.
      *
-     * @param {string} value - Value to be used as the new key. May be falsy to disable end-to-end encryption.
+     * @param {string} participantId - the ID of the participant who's key we are setting.
+     * @param {Uint8Array | boolean} key - they key for the given participant.
+     * @param {Number} keyIndex - the key index.
      */
-    setKey(value) {
-        let key;
-
-        if (value) {
-            const encoder = new TextEncoder();
-
-            key = encoder.encode(value);
-        } else {
-            key = false;
-        }
-
+    setKey(participantId, key, keyIndex) {
         this._worker.postMessage({
             operation: 'setKey',
-            key
+            participantId,
+            key,
+            keyIndex
         });
     }
 }

modules/e2ee/E2EEncryption.js

@@ -1,14 +1,21 @@
 /* global __filename */
+
 import { getLogger } from 'jitsi-meet-logger';
+import debounce from 'lodash.debounce';
 
 import * as JitsiConferenceEvents from '../../JitsiConferenceEvents';
 import RTCEvents from '../../service/RTC/RTCEvents';
 import browser from '../browser';
 
 import E2EEContext from './E2EEContext';
+import { OlmAdapter } from './OlmAdapter';
 
 const logger = getLogger(__filename);
 
+// Period which we'll wait before updating / rotating our keys when a participant
+// joins or leaves.
+const DEBOUNCE_PERIOD = 5000;
+
 /**
  * This module integrates {@link E2EEContext} with {@link JitsiConference} in order to enable E2E encryption.
  */
@@ -16,18 +23,44 @@ export class E2EEncryption {
     /**
      * A constructor.
      * @param {JitsiConference} conference - The conference instance for which E2E encryption is to be enabled.
-     * @param {Object} options
-     * @param {string} options.salt - Salt to be used for key deviation. Check {@link E2EEContext} for more details.
      */
-    constructor(conference, { salt }) {
+    constructor(conference) {
         this.conference = conference;
-        this._e2eeCtx = new E2EEContext({ salt });
+
+        this._conferenceJoined = false;
+        this._enabled = false;
+        this._initialized = false;
+
+        this._e2eeCtx = new E2EEContext({ salt: conference.getName() });
+        this._olmAdapter = new OlmAdapter(conference);
+
+        // Debounce key rotation / ratcheting to avoid a storm of messages.
+        this._ratchetKey = debounce(this._ratchetKeyImpl, DEBOUNCE_PERIOD);
+        this._rotateKey = debounce(this._rotateKeyImpl, DEBOUNCE_PERIOD);
+
+        // Participant join / leave operations. Used for key advancement / rotation.
+        //
+
         this.conference.on(
-            JitsiConferenceEvents._MEDIA_SESSION_STARTED,
-            this._onMediaSessionStarted.bind(this));
+            JitsiConferenceEvents.USER_JOINED,
+            this._onParticipantJoined.bind(this));
+        this.conference.on(
+            JitsiConferenceEvents.USER_LEFT,
+            this._onParticipantLeft.bind(this));
+        this.conference.on(
+            JitsiConferenceEvents.CONFERENCE_JOINED,
+            () => {
+                this._conferenceJoined = true;
+            });
 
+        // Conference media events in order to attach the encryptor / decryptor.
         // FIXME add events to TraceablePeerConnection which will allow to see when there's new receiver or sender
-        //  added instead of shenanigans around conference track events and track muted.
+        // added instead of shenanigans around conference track events and track muted.
+        //
+
+        this.conference.on(
+            JitsiConferenceEvents._MEDIA_SESSION_STARTED,
+            this._onMediaSessionStarted.bind(this));
         this.conference.on(
             JitsiConferenceEvents.TRACK_ADDED,
             track => track.isLocal() && this._onLocalTrackAdded(track));
@@ -37,6 +70,89 @@ export class E2EEncryption {
         this.conference.on(
             JitsiConferenceEvents.TRACK_MUTE_CHANGED,
             this._trackMuteChanged.bind(this));
+
+        // Olm signalling events.
+        this._olmAdapter.on(
+            OlmAdapter.events.PARTICIPANT_E2EE_CHANNEL_READY,
+            this._onParticipantE2EEChannelReady.bind(this));
+        this._olmAdapter.on(
+            OlmAdapter.events.PARTICIPANT_KEY_UPDATED,
+            this._onParticipantKeyUpdated.bind(this));
+    }
+
+    /**
+     * Indicates if E2EE is supported in the current platform.
+     *
+     * @param {object} config - Global configuration.
+     * @returns {boolean}
+     */
+    static isSupported(config) {
+        return browser.supportsInsertableStreams()
+            && OlmAdapter.isSupported()
+            && !(config.testing && config.testing.disableE2EE);
+    }
+
+    /**
+     * Indicates whether E2EE is currently enabled or not.
+     *
+     * @returns {boolean}
+     */
+    isEnabled() {
+        return this._enabled;
+    }
+
+    /**
+     * Enables / disables End-To-End encryption.
+     *
+     * @param {boolean} enabled - whether E2EE should be enabled or not.
+     * @returns {void}
+     */
+    setEnabled(enabled) {
+        if (enabled === this._enabled) {
+            return;
+        }
+
+        this._enabled = enabled;
+
+        if (!this._initialized && enabled) {
+            // Need to re-create the peerconnections in order to apply the insertable streams constraint.
+            // TODO: this was necessary due to some audio issues when indertable streams are used
+            // even though encryption is not performed. This should be fixed in the browser eventually.
+            // https://bugs.chromium.org/p/chromium/issues/detail?id=1103280
+            this.conference._restartMediaSessions();
+
+            this._initialized = true;
+        }
+
+        // Generate a random key in case we are enabling.
+        const key = enabled ? this._generateKey() : false;
+
+        // Send it to others using the E2EE olm channel.
+        this._olmAdapter.updateKey(key).then(index => {
+            // Set our key so we begin encrypting.
+            this._e2eeCtx.setKey(this.conference.myUserId(), key, index);
+        });
+    }
+
+    /**
+     * Generates a new 256 bit random key.
+     *
+     * @returns {Uint8Array}
+     * @private
+     */
+    _generateKey() {
+        return window.crypto.getRandomValues(new Uint8Array(32));
+    }
+
+    /**
+     * Setup E2EE on the new track that has been added to the conference, apply it on all the open peerconnections.
+     * @param {JitsiLocalTrack} track - the new track that's being added to the conference.
+     * @private
+     */
+    _onLocalTrackAdded(track) {
+        for (const session of this.conference._getMediaSessions()) {
+            this._setupSenderE2EEForTrack(session, track);
+        }
     }
 
     /**
@@ -53,32 +169,91 @@ export class E2EEncryption {
     }
 
     /**
-     * Setup E2EE on the new track that has been added to the conference, apply it on all the open peerconnections.
-     * @param {JitsiLocalTrack} track - the new track that's being added to the conference.
+     * Advances (using ratcheting) the current key whern a new participant joins the conference.
      * @private
      */
-    _onLocalTrackAdded(track) {
-        for (const session of this.conference._getMediaSessions()) {
-            this._setupSenderE2EEForTrack(session, track);
+    _onParticipantJoined(id) {
+        logger.debug(`Participant ${id} joined`);
+
+        if (this._conferenceJoined && this._enabled) {
+            this._ratchetKey();
         }
     }
 
     /**
-     * Sets the key to be used for End-To-End encryption.
+     * Rotates the current key when a participant leaves the conference.
+     * @private
+     */
+    _onParticipantLeft(id) {
+        logger.debug(`Participant ${id} left`);
+
+        this._e2eeCtx.cleanup(id);
+
+        if (this._enabled) {
+            this._rotateKey();
+        }
+    }
+
+    /**
+     * Event posted when the E2EE signalling channel has been establioshed with the given participant.
+     * @private
+     */
+    _onParticipantE2EEChannelReady(id) {
+        logger.debug(`E2EE channel with participant ${id} is ready`);
+    }
+
+    /**
+     * Handles an update in a participant's key.
      *
-     * @param {string} key - the key to be used.
-     * @returns {void}
+     * @param {string} id - The participant ID.
+     * @param {Uint8Array | boolean} key - The new key for the participant.
+     * @param {Number} index - The new key's index.
+     * @private
      */
-    setKey(key) {
-        this._e2eeCtx.setKey(key);
+    _onParticipantKeyUpdated(id, key, index) {
+        logger.debug(`Participant ${id} updated their key`);
+
+        this._e2eeCtx.setKey(id, key, index);
+    }
+
+    /**
+     * Advances the current key by using ratcheting.
+     * TODO: not yet implemented, we are just rotating the key at the moment,
+     * which is a heavier operation.
+     *
+     * @private
+     */
+    async _ratchetKeyImpl() {
+        logger.debug('Ratchetting key');
+
+        return this._rotateKey();
+    }
+
+    /**
+     * Rotates the local key. Rotating the key implies creating a new one, then distributing it
+     * to all participants and once they all received it, start using it.
+     *
+     * @private
+     */
+    async _rotateKeyImpl() {
+        logger.debug('Rotating key');
+
+        const key = this._generateKey();
+        const index = await this._olmAdapter.updateKey(key);
+
+        this._e2eeCtx.setKey(this.conference.myUserId(), key, index);
     }
 
     /**
      * Setup E2EE for the receiving side.
      *
-     * @returns {void}
+     * @private
      */
     _setupReceiverE2EEForTrack(tpc, track) {
+        if (!this._enabled) {
+            return;
+        }
+
         const receiver = tpc.findReceiverForTrack(track.track);
 
         if (receiver) {
@@ -93,9 +268,13 @@ export class E2EEncryption {
      *
      * @param {JingleSessionPC} session - the session which sends the media produced by the track.
      * @param {JitsiLocalTrack} track - the local track for which e2e encoder will be configured.
-     * @returns {void}
+     * @private
      */
     _setupSenderE2EEForTrack(session, track) {
+        if (!this._enabled) {
+            return;
+        }
+
         const pc = session.peerconnection;
         const sender = pc && pc.findSenderForTrack(track.track);
 

modules/e2ee/OlmAdapter.js

@@ -0,0 +1,548 @@
+/* global __filename, Olm */
+
+import base64js from 'base64-js';
+import { getLogger } from 'jitsi-meet-logger';
+import isEqual from 'lodash.isequal';
+import { v4 as uuidv4 } from 'uuid';
+
+import * as JitsiConferenceEvents from '../../JitsiConferenceEvents';
+import Deferred from '../util/Deferred';
+import Listenable from '../util/Listenable';
+import { JITSI_MEET_MUC_TYPE } from '../xmpp/xmpp';
+
+const logger = getLogger(__filename);
+
+const REQ_TIMEOUT = 5 * 1000;
+const OLM_MESSAGE_TYPE = 'olm';
+const OLM_MESSAGE_TYPES = {
+    ERROR: 'error',
+    KEY_INFO: 'key-info',
+    KEY_INFO_ACK: 'key-info-ack',
+    SESSION_ACK: 'session-ack',
+    SESSION_INIT: 'session-init'
+};
+
+const kOlmData = Symbol('OlmData');
+
+const OlmAdapterEvents = {
+    PARTICIPANT_E2EE_CHANNEL_READY: 'olm.participant_e2ee_channel_ready',
+    PARTICIPANT_KEY_UPDATED: 'olm.partitipant_key_updated'
+};
+
+/**
+ * This class implements an End-to-End Encrypted communication channel between every two peers
+ * in the conference. This channel uses libolm to achieve E2EE.
+ *
+ * The created channel is then used to exchange the secret key that each participant will use
+ * to encrypt the actual media (see {@link E2EEContext}).
+ *
+ * A simple JSON message based protocol is implemented, which follows a request - response model:
+ * - session-init: Initiates an olm session establishment procedure. This message will be sent
+ *                 by the participant who just joined, to everyone else.
+ * - session-ack: Completes the olm session etablishment. This messsage may contain ancilliary
+ *                encrypted data, more specifically the sender's current key.
+ * - key-info: Includes the sender's most up to date key information.
+ * - key-info-ack: Acknowledges the reception of a key-info request. In addition, it may contain
+ *                 the sender's key information, if available.
+ * - error: Indicates a request processing error has occurred.
+ *
+ * These requessts and responses are transport independent. Currently they are sent using XMPP
+ * MUC private messages.
+ */
+export class OlmAdapter extends Listenable {
+    /**
+     * Creates an adapter instance for the given conference.
+     */
+    constructor(conference) {
+        super();
+
+        this._conf = conference;
+        this._init = new Deferred();
+        this._key = undefined;
+        this._keyIndex = -1;
+        this._reqs = new Map();
+
+        if (OlmAdapter.isSupported()) {
+            this._bootstrapOlm();
+
+            this._conf.on(JitsiConferenceEvents.ENDPOINT_MESSAGE_RECEIVED, this._onEndpointMessageReceived.bind(this));
+            this._conf.on(JitsiConferenceEvents.CONFERENCE_JOINED, this._onConferenceJoined.bind(this));
+            this._conf.on(JitsiConferenceEvents.CONFERENCE_LEFT, this._onConferenceLeft.bind(this));
+            this._conf.on(JitsiConferenceEvents.USER_LEFT, this._onParticipantLeft.bind(this));
+        } else {
+            this._init.reject(new Error('Olm not supported'));
+        }
+    }
+
+    /**
+     * Indicates if olm is supported on the current platform.
+     *
+     * @returns {boolean}
+     */
+    static isSupported() {
+        return typeof window.Olm !== 'undefined';
+    }
+
+    /**
+     * Updates the current participant key and distributes it to all participants in the conference
+     * by sending a key-info message.
+     *
+     * @param {Uint8Array|boolean} key - The new key.
+     * @retrns {Promise<Number>}
+     */
+    async updateKey(key) {
+        // Store it locally for new sessions.
+        this._key = key;
+        this._keyIndex++;
+
+        const promises = [];
+
+        // Broadcast it.
+        for (const participant of this._conf.getParticipants()) {
+            const pId = participant.getId();
+            const olmData = this._getParticipantOlmData(participant);
+
+            // TODO: skip those who don't support E2EE.
+
+            if (!olmData.session) {
+                logger.warn(`Tried to send key to participant ${pId} but we have no session`);
+
+                // eslint-disable-next-line no-continue
+                continue;
+            }
+
+            const uuid = uuidv4();
+            const data = {
+                [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+                olm: {
+                    type: OLM_MESSAGE_TYPES.KEY_INFO,
+                    data: {
+                        ciphertext: this._encryptKeyInfo(olmData.session),
+                        uuid
+                    }
+                }
+            };
+            const d = new Deferred();
+
+            d.setRejectTimeout(REQ_TIMEOUT);
+            d.catch(() => {
+                this._reqs.delete(uuid);
+            });
+            this._reqs.set(uuid, d);
+            promises.push(d);
+
+            this._sendMessage(data, pId);
+        }
+
+        await Promise.allSettled(promises);
+
+        // TODO: retry failed ones?
+
+        return this._keyIndex;
+    }
+
+    /**
+     * Internal helper to bootstrap the olm library.
+     *
+     * @returns {Promise<void>}
+     * @private
+     */
+    async _bootstrapOlm() {
+        logger.debug('Initializing Olm...');
+
+        try {
+            await Olm.init();
+
+            this._olmAccount = new Olm.Account();
+            this._olmAccount.create();
+
+            const idKeys = JSON.parse(this._olmAccount.identity_keys());
+
+            this._idKey = idKeys.curve25519;
+
+            logger.debug('Olm initialized!');
+            this._init.resolve();
+        } catch (e) {
+            logger.error('Failed to initialize Olm', e);
+            this._init.reject(e);
+        }
+
+    }
+
+    /**
+     * Internal helper for encrypting the current key information for a given participant.
+     *
+     * @param {Olm.Session} session - Participant's session.
+     * @returns {string} - The encrypted text with the key information.
+     * @private
+     */
+    _encryptKeyInfo(session) {
+        const keyInfo = {};
+
+        if (this._key !== undefined) {
+            keyInfo.key = this._key ? base64js.fromByteArray(this._key) : false;
+            keyInfo.keyIndex = this._keyIndex;
+        }
+
+        return session.encrypt(JSON.stringify(keyInfo));
+    }
+
+    /**
+     * Internal helper for getting the olm related data associated with a participant.
+     *
+     * @param {JitsiParticipant} participant - Participant whose data wants to be extracted.
+     * @returns {Object}
+     * @private
+     */
+    _getParticipantOlmData(participant) {
+        participant[kOlmData] = participant[kOlmData] || {};
+
+        return participant[kOlmData];
+    }
+
+    /**
+     * Handles the conference joined event. Upon joining a conference, the participant
+     * who just joined will start new olm sessions with every other participant.
+     *
+     * @private
+     */
+    async _onConferenceJoined() {
+        logger.debug('Conference joined');
+
+        await this._init;
+
+        const promises = [];
+
+        // Establish a 1-to-1 Olm session with every participant in the conference.
+        // We are forcing the last user to join the conference to start the exchange
+        // so we can send some pre-established secrets in the ACK.
+        for (const participant of this._conf.getParticipants()) {
+            promises.push(this._sendSessionInit(participant));
+        }
+
+        await Promise.allSettled(promises);
+
+        // TODO: retry failed ones.
+        // TODO: skip participants which don't support E2EE.
+    }
+
+    /**
+     * Handles leaving the conference, cleaning up olm sessions.
+     *
+     * @private
+     */
+    async _onConferenceLeft() {
+        logger.debug('Conference left');
+
+        await this._init;
+
+        for (const participant of this._conf.getParticipants()) {
+            this._onParticipantLeft(participant.getId(), participant);
+        }
+
+        if (this._olmAccount) {
+            this._olmAccount.free();
+            this._olmAccount = undefined;
+        }
+    }
+
+    /**
+     * Main message handler. Handles 1-to-1 messages received from other participants
+     * and send the appropriate replies.
+     *
+     * @private
+     */
+    async _onEndpointMessageReceived(participant, payload) {
+        if (payload[JITSI_MEET_MUC_TYPE] !== OLM_MESSAGE_TYPE) {
+            return;
+        }
+
+        if (!payload.olm) {
+            logger.warn('Incorrectly formatted message');
+
+            return;
+        }
+
+        await this._init;
+
+        const msg = payload.olm;
+        const pId = participant.getId();
+        const olmData = this._getParticipantOlmData(participant);
+
+        switch (msg.type) {
+        case OLM_MESSAGE_TYPES.SESSION_INIT: {
+            if (olmData.session) {
+                logger.warn(`Participant ${pId} already has a session`);
+
+                this._sendError(participant, 'Session already established');
+            } else {
+                // Create a session for communicating with this participant.
+
+                const session = new Olm.Session();
+
+                session.create_outbound(this._olmAccount, msg.data.idKey, msg.data.otKey);
+                olmData.session = session;
+
+                // Send ACK
+                const ack = {
+                    [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+                    olm: {
+                        type: OLM_MESSAGE_TYPES.SESSION_ACK,
+                        data: {
+                            ciphertext: this._encryptKeyInfo(session),
+                            uuid: msg.data.uuid
+                        }
+                    }
+                };
+
+                this._sendMessage(ack, pId);
+            }
+            break;
+        }
+        case OLM_MESSAGE_TYPES.SESSION_ACK: {
+            if (olmData.session) {
+                logger.warn(`Participant ${pId} already has a session`);
+
+                this._sendError(participant, 'No session found');
+            } else if (msg.data.uuid === olmData.pendingSessionUuid) {
+                const { ciphertext } = msg.data;
+                const d = this._reqs.get(msg.data.uuid);
+                const session = new Olm.Session();
+
+                session.create_inbound(this._olmAccount, ciphertext.body);
+
+                // Remove OT keys that have been used to setup this session.
+                this._olmAccount.remove_one_time_keys(session);
+
+                // Decrypt first message.
+                const data = session.decrypt(ciphertext.type, ciphertext.body);
+
+                olmData.session = session;
+                olmData.pendingSessionUuid = undefined;
+
+                logger.debug(`Olm session established with ${pId}`);
+                this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_E2EE_CHANNEL_READY, pId);
+
+                this._reqs.delete(msg.data.uuid);
+                d.resolve();
+
+                const json = safeJsonParse(data);
+
+                if (json.key) {
+                    const key = base64js.toByteArray(json.key);
+                    const keyIndex = json.keyIndex;
+
+                    olmData.lastKey = key;
+                    this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_KEY_UPDATED, pId, key, keyIndex);
+                }
+            } else {
+                logger.warn('Received ACK with the wrong UUID');
+
+                this._sendError(participant, 'Invalid UUID');
+            }
+            break;
+        }
+        case OLM_MESSAGE_TYPES.ERROR: {
+            logger.error(msg.data.error);
+
+            break;
+        }
+        case OLM_MESSAGE_TYPES.KEY_INFO: {
+            if (olmData.session) {
+                const { ciphertext } = msg.data;
+                const data = olmData.session.decrypt(ciphertext.type, ciphertext.body);
+                const json = safeJsonParse(data);
+
+                if (json.key !== undefined && json.keyIndex !== undefined) {
+                    const key = json.key ? base64js.toByteArray(json.key) : false;
+                    const keyIndex = json.keyIndex;
+
+                    if (!isEqual(olmData.lastKey, key)) {
+                        olmData.lastKey = key;
+                        this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_KEY_UPDATED, pId, key, keyIndex);
+                    }
+
+                    // Send ACK.
+                    const ack = {
+                        [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+                        olm: {
+                            type: OLM_MESSAGE_TYPES.KEY_INFO_ACK,
+                            data: {
+                                ciphertext: this._encryptKeyInfo(olmData.session),
+                                uuid: msg.data.uuid
+                            }
+                        }
+                    };
+
+                    this._sendMessage(ack, pId);
+                }
+            } else {
+                logger.debug(`Received key info message from ${pId} but we have no session for them!`);
+
+                this._sendError(participant, 'No session found while processing key-info');
+            }
+            break;
+        }
+        case OLM_MESSAGE_TYPES.KEY_INFO_ACK: {
+            if (olmData.session) {
+                const { ciphertext } = msg.data;
+                const data = olmData.session.decrypt(ciphertext.type, ciphertext.body);
+                const json = safeJsonParse(data);
+
+                if (json.key !== undefined && json.keyIndex !== undefined) {
+                    const key = json.key ? base64js.toByteArray(json.key) : false;
+                    const keyIndex = json.keyIndex;
+
+                    if (!isEqual(olmData.lastKey, key)) {
+                        olmData.lastKey = key;
+                        this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_KEY_UPDATED, pId, key, keyIndex);
+                    }
+                }
+
+                const d = this._reqs.get(msg.data.uuid);
+
+                this._reqs.delete(msg.data.uuid);
+                d.resolve();
+            } else {
+                logger.debug(`Received key info ack message from ${pId} but we have no session for them!`);
+
+                this._sendError(participant, 'No session found while processing key-info-ack');
+            }
+            break;
+        }
+        }
+
+    }
+
+    /**
+     * Handles a participant leaving. When a participant leaves their olm session is destroyed.
+     *
+     * @private
+     */
+    _onParticipantLeft(id, participant) {
+        logger.debug(`Participant ${id} left`);
+
+        const olmData = this._getParticipantOlmData(participant);
+
+        if (olmData.session) {
+            olmData.session.free();
+            olmData.session = undefined;
+        }
+    }
+
+    /**
+     * Builds and sends an error message to the target participant.
+     *
+     * @param {JitsiParticipant} participant - The target participant.
+     * @param {string} error - The error message.
+     * @returns {void}
+     */
+    _sendError(participant, error) {
+        const pId = participant.getId();
+        const err = {
+            [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+            olm: {
+                type: OLM_MESSAGE_TYPES.ERROR,
+                data: {
+                    error
+                }
+            }
+        };
+
+        this._sendMessage(err, pId);
+    }
+
+    /**
+     * Internal helper to send the given object to the given participant ID.
+     * This function merely exists so the transport can be easily swapped.
+     * Currently messages are transmitted via XMPP MUC private messages.
+     *
+     * @param {object} data - The data that will be sent to the target participant.
+     * @param {string} participantId - ID of the target participant.
+     */
+    _sendMessage(data, participantId) {
+        this._conf.sendMessage(data, participantId);
+    }
+
+    /**
+     * Builds and sends the session-init request to the target participant.
+     *
+     * @param {JitsiParticipant} participant - Participant to whom we'll send the request.
+     * @returns {Promise} - The promise will be resolved when the session-ack is received.
+     * @private
+     */
+    _sendSessionInit(participant) {
+        const pId = participant.getId();
+        const olmData = this._getParticipantOlmData(participant);
+
+        if (olmData.session) {
+            logger.warn(`Tried to send session-init to ${pId} but we already have a session`);
+
+            return Promise.reject();
+        }
+
+        if (olmData.pendingSessionUuid !== undefined) {
+            logger.warn(`Tried to send session-init to ${pId} but we already have a pending session`);
+
+            return Promise.reject();
+        }
+
+        // Generate a One Time Key.
+        this._olmAccount.generate_one_time_keys(1);
+
+        const otKeys = JSON.parse(this._olmAccount.one_time_keys());
+        const otKey = Object.values(otKeys.curve25519)[0];
+
+        if (!otKey) {
+            return Promise.reject(new Error('No one-time-keys generated'));
+        }
+
+        // Mark the OT keys (one really) as published so they are not reused.
+        this._olmAccount.mark_keys_as_published();
+
+        const uuid = uuidv4();
+        const init = {
+            [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+            olm: {
+                type: OLM_MESSAGE_TYPES.SESSION_INIT,
+                data: {
+                    idKey: this._idKey,
+                    otKey,
+                    uuid
+                }
+            }
+        };
+
+        const d = new Deferred();
+
+        d.setRejectTimeout(REQ_TIMEOUT);
+        d.catch(() => {
+            this._reqs.delete(uuid);
+            olmData.pendingSessionUuid = undefined;
+        });
+        this._reqs.set(uuid, d);
+
+        this._sendMessage(init, pId);
+
+        // Store the UUID for matching with the ACK.
+        olmData.pendingSessionUuid = uuid;
+
+        return d;
+    }
+}
+
+OlmAdapter.events = OlmAdapterEvents;
+
+/**
+ * Helper to ensure JSON parsing always returns an object.
+ *
+ * @param {string} data - The data that needs to be parsed.
+ * @returns {object} - Parsed data or empty object in case of failure.
+ */
+function safeJsonParse(data) {
+    try {
+        return JSON.parse(data);
+    } catch (e) {
+        return {};
+    }
+}

modules/e2ee/Worker.js

@@ -23,10 +23,7 @@ function polyFillEncodedFrameMetadata(encodedFrame, controller) {
 
 // We use a ringbuffer of keys so we can change them and still decode packets that were
 // encrypted with an old key.
-// In the future when we dont rely on a globally shared key we will actually use it. For
-// now set the size to 1 which means there is only a single key. This causes some
-// glitches when changing the key but its ok.
-const keyRingSize = 1;
+const keyRingSize = 3;
 
 // We use a 96 bit IV for AES GCM. This is signalled in plain together with the
 // packet. See https://developer.mozilla.org/en-US/docs/Web/API/AesGcmParams
@@ -62,9 +59,6 @@ const unencryptedBytes = {
 // We currently do not enforce a minimum length of 16 bytes either.
 let _keySalt;
 
-// Raw keyBytes used to derive the key.
-let _keyBytes;
-
 /**
  * Derives a AES-GCM key from the input using PBKDF2
  * The key length can be configured above and should be either 128 or 256 bits.
@@ -86,7 +80,8 @@ async function deriveKey(keyBytes, salt) {
 }
 
 
-/** Per-participant context holding the cryptographic keys and
+/**
+ * Per-participant context holding the cryptographic keys and
  * encode/decode functions
  */
 class Context {
@@ -128,10 +123,11 @@ class Context {
     /**
      * Sets a key and starts using it for encrypting.
      * @param {CryptoKey} key
+     * @param {Number} keyIndex
      */
-    setKey(key) {
-        this._currentKeyIndex++;
-        this._cryptoKeyRing[this._currentKeyIndex % this._cryptoKeyRing.length] = key;
+    setKey(key, keyIndex) {
+        this._currentKeyIndex = keyIndex % this._cryptoKeyRing.length;
+        this._cryptoKeyRing[this._currentKeyIndex] = key;
     }
 
     /**
@@ -204,7 +200,7 @@ class Context {
      * 9) Enqueue the encrypted frame for sending.
      */
     encodeFunction(encodedFrame, controller) {
-        const keyIndex = this._currentKeyIndex % this._cryptoKeyRing.length;
+        const keyIndex = this._currentKeyIndex;
 
         if (this._cryptoKeyRing[keyIndex]) {
             const iv = this.makeIV(encodedFrame.getMetadata().synchronizationSource, encodedFrame.timestamp);
@@ -307,8 +303,7 @@ class Context {
                     controller.enqueue(encodedFrame);
                 }
             });
-        } else if (keyIndex >= this._cryptoKeyRing.length
-                && this._cryptoKeyRing[this._currentKeyIndex % this._cryptoKeyRing.length]) {
+        } else if (keyIndex >= this._cryptoKeyRing.length && this._cryptoKeyRing[this._currentKeyIndex]) {
             // If we are encrypting but don't have a key for the remote drop the frame.
             // This is a heuristic since we don't know whether a packet is encrypted,
             // do not have a checksum and do not have signaling for whether a remote participant does
@@ -346,9 +341,6 @@ onmessage = async event => {
             }))
             .pipeThrough(transformStream)
             .pipeTo(writableStream);
-        if (_keyBytes) {
-            context.setKey(await context.deriveKey(_keyBytes, _keySalt));
-        }
     } else if (operation === 'decode') {
         const { readableStream, writableStream, participantId } = event.data;
 
@@ -366,18 +358,23 @@ onmessage = async event => {
             }))
             .pipeThrough(transformStream)
             .pipeTo(writableStream);
-        if (_keyBytes) {
-            context.setKey(await context.deriveKey(_keyBytes, _keySalt));
-        }
     } else if (operation === 'setKey') {
-        _keyBytes = event.data.key;
-        contexts.forEach(async context => {
-            if (_keyBytes) {
-                context.setKey(await context.deriveKey(_keyBytes, _keySalt));
-            } else {
-                context.setKey(false);
-            }
-        });
+        const { participantId, key, keyIndex } = event.data;
+
+        if (!contexts.has(participantId)) {
+            contexts.set(participantId, new Context(participantId));
+        }
+        const context = contexts.get(participantId);
+
+        if (key) {
+            context.setKey(await context.deriveKey(key, _keySalt), keyIndex);
+        } else {
+            context.setKey(false, keyIndex);
+        }
+    } else if (operation === 'cleanup') {
+        const { participantId } = event.data;
+
+        contexts.delete(participantId);
     } else {
         console.error('e2ee worker', operation);
     }

modules/util/Deferred.js

@@ -0,0 +1,43 @@
+
+/**
+ * Promise-like object which can be passed around for resolving it later. It
+ * implements the "thenable" interface, so it can be used wherever a Promise
+ * could be used.
+ *
+ * In addition a "reject on timeout" functionality is provided.
+ */
+export default class Deferred {
+    /**
+     * Instantiates a Deferred object.
+     */
+    constructor() {
+        this.promise = new Promise((resolve, reject) => {
+            this.resolve = (...args) => {
+                this.clearRejectTimeout();
+                resolve(...args);
+            };
+            this.reject = (...args) => {
+                this.clearRejectTimeout();
+                reject(...args);
+            };
+        });
+        this.then = this.promise.then.bind(this.promise);
+        this.catch = this.promise.catch.bind(this.promise);
+    }
+
+    /**
+     * Clears the reject timeout.
+     */
+    clearRejectTimeout() {
+        clearTimeout(this._timeout);
+    }
+
+    /**
+     * Rejects the promise after the given timeout.
+     */
+    setRejectTimeout(ms) {
+        this._timeout = setTimeout(() => {
+            this.reject(new Error('timeout'));
+        }, ms);
+    }
+}

modules/xmpp/xmpp.js

@@ -8,6 +8,7 @@ import * as JitsiConnectionErrors from '../../JitsiConnectionErrors';
 import * as JitsiConnectionEvents from '../../JitsiConnectionEvents';
 import XMPPEvents from '../../service/xmpp/XMPPEvents';
 import browser from '../browser';
+import { E2EEncryption } from '../e2ee/E2EEncryption';
 import GlobalOnErrorHandler from '../util/GlobalOnErrorHandler';
 import Listenable from '../util/Listenable';
 import RandomUtil from '../util/RandomUtil';
@@ -175,7 +176,7 @@ export default class XMPP extends Listenable {
             this.caps.addFeature('urn:xmpp:rayo:client:1');
         }
 
-        if (browser.supportsInsertableStreams() && !(this.options.testing && this.options.testing.disableE2EE)) {
+        if (E2EEncryption.isSupported(this.options)) {
             this.caps.addFeature('https://jitsi.org/meet/e2ee');
         }
     }

package-lock.json

@@ -2019,8 +2019,7 @@
     "base64-js": {
       "version": "1.3.1",
       "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.3.1.tgz",
-      "integrity": "sha512-mLQ4i2QO1ytvGWFWmcngKO//JXAQueZvwEKtjgQFM4jIK0kU+ytMfplL8j+n5mspOfjHwoAg+9yhb7BwAHm36g==",
-      "dev": true
+      "integrity": "sha512-mLQ4i2QO1ytvGWFWmcngKO//JXAQueZvwEKtjgQFM4jIK0kU+ytMfplL8j+n5mspOfjHwoAg+9yhb7BwAHm36g=="
     },
     "base64id": {
       "version": "2.0.0",
@@ -5553,6 +5552,11 @@
       "resolved": "https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz",
       "integrity": "sha1-4j8/nE+Pvd6HJSnBBxhXoIblzO8="
     },
+    "lodash.debounce": {
+      "version": "4.0.8",
+      "resolved": "https://registry.npmjs.org/lodash.debounce/-/lodash.debounce-4.0.8.tgz",
+      "integrity": "sha1-gteb/zCmfEAF/9XiUVMArZyk168="
+    },
     "lodash.isequal": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/lodash.isequal/-/lodash.isequal-4.5.0.tgz",
@@ -8449,10 +8453,9 @@
       "dev": true
     },
     "uuid": {
-      "version": "3.4.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz",
-      "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==",
-      "dev": true
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.1.0.tgz",
+      "integrity": "sha512-CI18flHDznR0lq54xBycOVmphdCYnQLKn8abKn7PXUiKUGdEd+/l9LWNJmugXel4hXq7S+RMNl34ecyC9TntWg=="
     },
     "v8-compile-cache": {
       "version": "2.0.3",
@@ -8970,6 +8973,14 @@
       "requires": {
         "ansi-colors": "^3.0.0",
         "uuid": "^3.3.2"
+      },
+      "dependencies": {
+        "uuid": {
+          "version": "3.4.0",
+          "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz",
+          "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==",
+          "dev": true
+        }
       }
     },
     "webpack-sources": {

package.json

@@ -20,14 +20,17 @@
     "@jitsi/sdp-interop": "1.0.3",
     "@jitsi/sdp-simulcast": "0.3.0",
     "async": "0.9.0",
+    "base64-js": "1.3.1",
     "current-executing-script": "0.1.3",
     "jitsi-meet-logger": "github:jitsi/jitsi-meet-logger#5ec92357570dc8f0b7ffc1528820721c84c6af8b",
     "lodash.clonedeep": "4.5.0",
+    "lodash.debounce": "4.0.8",
     "lodash.isequal": "4.5.0",
     "sdp-transform": "2.3.0",
     "strophe.js": "1.3.4",
     "strophejs-plugin-disco": "0.0.2",
     "strophejs-plugin-stream-management": "github:jitsi/strophejs-plugin-stream-management#001cf02bef2357234e1ac5d163611b4d60bf2b6a",
+    "uuid": "8.1.0",
     "webrtc-adapter": "7.5.0"
   },
   "devDependencies": {