jfinn
/
lib-jitsi-meet
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2372 Commits
1 Branch
Tree: 735c30ec4f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '735c30ec4f'
${ noResults }
lib-jitsi-meet/modules/e2ee/Worker.js

Worker.js 16KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381 
  1. /* global TransformStream */

  2. 

  3. // Worker for E2EE/Insertable streams.

  4. //

  5. 

  6. /**

  7.  * Polyfill RTCEncoded(Audio|Video)Frame.getMetadata() (not available in M83, available M84+).

  8.  * The polyfill can not be done on the prototype since its not exposed in workers. Instead,

  9.  * it is done as another transformation to keep it separate.

  10.  */

  11. function polyFillEncodedFrameMetadata(encodedFrame, controller) {

  12.     if (!encodedFrame.getMetadata) {

  13.         encodedFrame.getMetadata = function() {

  14.             return {

  15.                 // TODO: provide a more complete polyfill based on additionalData for video.

  16.                 synchronizationSource: this.synchronizationSource,

  17.                 contributingSources: this.contributingSources

  18.             };

  19.         };

  20.     }

  21.     controller.enqueue(encodedFrame);

  22. }

  23. 

  24. // We use a ringbuffer of keys so we can change them and still decode packets that were

  25. // encrypted with an old key.

  26. const keyRingSize = 3;

  27. 

  28. // We use a 96 bit IV for AES GCM. This is signalled in plain together with the

  29. // packet. See https://developer.mozilla.org/en-US/docs/Web/API/AesGcmParams

  30. const ivLength = 12;

  31. 

  32. // We use a 128 bit key for AES GCM.

  33. const keyGenParameters = {

  34.     name: 'AES-GCM',

  35.     length: 128

  36. };

  37. 

  38. // We copy the first bytes of the VP8 payload unencrypted.

  39. // For keyframes this is 10 bytes, for non-keyframes (delta) 3. See

  40. //   https://tools.ietf.org/html/rfc6386#section-9.1

  41. // This allows the bridge to continue detecting keyframes (only one byte needed in the JVB)

  42. // and is also a bit easier for the VP8 decoder (i.e. it generates funny garbage pictures

  43. // instead of being unable to decode).

  44. // This is a bit for show and we might want to reduce to 1 unconditionally in the final version.

  45. //

  46. // For audio (where frame.type is not set) we do not encrypt the opus TOC byte:

  47. //   https://tools.ietf.org/html/rfc6716#section-3.1

  48. const unencryptedBytes = {

  49.     key: 10,

  50.     delta: 3,

  51.     undefined: 1 // frame.type is not set on audio

  52. };

  53. 

  54. // Salt used in key derivation

  55. // FIXME: We currently use the MUC room name for this which has the same lifetime

  56. // as this worker. While not (pseudo)random as recommended in

  57. // https://developer.mozilla.org/en-US/docs/Web/API/Pbkdf2Params

  58. // this is easily available and the same for all participants.

  59. // We currently do not enforce a minimum length of 16 bytes either.

  60. let _keySalt;

  61. 

  62. /**

  63.  * Derives a AES-GCM key from the input using PBKDF2

  64.  * The key length can be configured above and should be either 128 or 256 bits.

  65.  * @param {Uint8Array} keyBytes - Value to derive key from

  66.  * @param {Uint8Array} salt - Salt used in key derivation

  67.  */

  68. async function deriveKey(keyBytes, salt) {

  69.     // https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey

  70.     const material = await crypto.subtle.importKey('raw', keyBytes,

  71.         'PBKDF2', false, [ 'deriveBits', 'deriveKey' ]);

  72. 

  73.     // https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/deriveKey#PBKDF2

  74.     return crypto.subtle.deriveKey({

  75.         name: 'PBKDF2',

  76.         salt,

  77.         iterations: 100000,

  78.         hash: 'SHA-256'

  79.     }, material, keyGenParameters, false, [ 'encrypt', 'decrypt' ]);

  80. }

  81. 

  82. 

  83. /**

  84.  * Per-participant context holding the cryptographic keys and

  85.  * encode/decode functions

  86.  */

  87. class Context {

  88.     /**

  89.      * @param {string} id - local muc resourcepart

  90.      */

  91.     constructor(id) {

  92.         // An array (ring) of keys that we use for sending and receiving.

  93.         this._cryptoKeyRing = new Array(keyRingSize);

  94. 

  95.         // A pointer to the currently used key.

  96.         this._currentKeyIndex = -1;

  97. 

  98.         // We keep track of how many frames we have sent per ssrc.

  99.         // Starts with a random offset similar to the RTP sequence number.

  100.         this._sendCounts = new Map();

  101. 

  102.         this._id = id;

  103.     }

  104. 

  105.     /**

  106.      * Derives a per-participant key.

  107.      * @param {Uint8Array} keyBytes - Value to derive key from

  108.      * @param {Uint8Array} salt - Salt used in key derivation

  109.      */

  110.     async deriveKey(keyBytes, salt) {

  111.         const encoder = new TextEncoder();

  112.         const idBytes = encoder.encode(this._id);

  113. 

  114.         // Separate both parts by a null byte to avoid ambiguity attacks.

  115.         const participantSalt = new Uint8Array(salt.byteLength + idBytes.byteLength + 1);

  116. 

  117.         participantSalt.set(salt);

  118.         participantSalt.set(idBytes, salt.byteLength + 1);

  119. 

  120.         return deriveKey(keyBytes, participantSalt);

  121.     }

  122. 

  123.     /**

  124.      * Sets a key and starts using it for encrypting.

  125.      * @param {CryptoKey} key

  126.      * @param {Number} keyIndex

  127.      */

  128.     setKey(key, keyIndex) {

  129.         this._currentKeyIndex = keyIndex % this._cryptoKeyRing.length;

  130.         this._cryptoKeyRing[this._currentKeyIndex] = key;

  131.     }

  132. 

  133.     /**

  134.      * Construct the IV used for AES-GCM and sent (in plain) with the packet similar to

  135.      * https://tools.ietf.org/html/rfc7714#section-8.1

  136.      * It concatenates

  137.      * - the 32 bit synchronization source (SSRC) given on the encoded frame,

  138.      * - the 32 bit rtp timestamp given on the encoded frame,

  139.      * - a send counter that is specific to the SSRC. Starts at a random number.

  140.      * The send counter is essentially the pictureId but we currently have to implement this ourselves.

  141.      * There is no XOR with a salt. Note that this IV leaks the SSRC to the receiver but since this is

  142.      * randomly generated and SFUs may not rewrite this is considered acceptable.

  143.      * The SSRC is used to allow demultiplexing multiple streams with the same key, as described in

  144.      *   https://tools.ietf.org/html/rfc3711#section-4.1.1

  145.      * The RTP timestamp is 32 bits and advances by the codec clock rate (90khz for video, 48khz for

  146.      * opus audio) every second. For video it rolls over roughly every 13 hours.

  147.      * The send counter will advance at the frame rate (30fps for video, 50fps for 20ms opus audio)

  148.      * every second. It will take a long time to roll over.

  149.      *

  150.      * See also https://developer.mozilla.org/en-US/docs/Web/API/AesGcmParams

  151.      */

  152.     makeIV(synchronizationSource, timestamp) {

  153.         const iv = new ArrayBuffer(ivLength);

  154.         const ivView = new DataView(iv);

  155. 

  156.         // having to keep our own send count (similar to a picture id) is not ideal.

  157.         if (!this._sendCounts.has(synchronizationSource)) {

  158.             // Initialize with a random offset, similar to the RTP sequence number.

  159.             this._sendCounts.set(synchronizationSource, Math.floor(Math.random() * 0xFFFF));

  160.         }

  161.         const sendCount = this._sendCounts.get(synchronizationSource);

  162. 

  163.         ivView.setUint32(0, synchronizationSource);

  164.         ivView.setUint32(4, timestamp);

  165.         ivView.setUint32(8, sendCount % 0xFFFF);

  166. 

  167.         this._sendCounts.set(synchronizationSource, sendCount + 1);

  168. 

  169.         return iv;

  170.     }

  171. 

  172.     /**

  173.      * Function that will be injected in a stream and will encrypt the given encoded frames.

  174.      *

  175.      * @param {RTCEncodedVideoFrame|RTCEncodedAudioFrame} encodedFrame - Encoded video frame.

  176.      * @param {TransformStreamDefaultController} controller - TransportStreamController.

  177.      *

  178.      * The packet format is described below. One of the design goals was to not require

  179.      * changes to the SFU which for video requires not encrypting the keyframe bit of VP8

  180.      * as SFUs need to detect a keyframe (framemarking or the generic frame descriptor will

  181.      * solve this eventually). This also "hides" that a client is using E2EE a bit.

  182.      *

  183.      * Note that this operates on the full frame, i.e. for VP8 the data described in

  184.      *   https://tools.ietf.org/html/rfc6386#section-9.1

  185.      *

  186.      * The VP8 payload descriptor described in

  187.      *   https://tools.ietf.org/html/rfc7741#section-4.2

  188.      * is part of the RTP packet and not part of the frame and is not controllable by us.

  189.      * This is fine as the SFU keeps having access to it for routing.

  190.      *

  191.      * The encrypted frame is formed as follows:

  192.      * 1) Leave the first (10, 3, 1) bytes unencrypted, depending on the frame type and kind.

  193.      * 2) Form the GCM IV for the frame as described above.

  194.      * 3) Encrypt the rest of the frame using AES-GCM.

  195.      * 4) Allocate space for the encrypted frame.

  196.      * 5) Copy the unencrypted bytes to the start of the encrypted frame.

  197.      * 6) Append the ciphertext to the encrypted frame.

  198.      * 7) Append the IV.

  199.      * 8) Append a single byte for the key identifier. TODO: we don't need all the bits.

  200.      * 9) Enqueue the encrypted frame for sending.

  201.      */

  202.     encodeFunction(encodedFrame, controller) {

  203.         const keyIndex = this._currentKeyIndex;

  204. 

  205.         if (this._cryptoKeyRing[keyIndex]) {

  206.             const iv = this.makeIV(encodedFrame.getMetadata().synchronizationSource, encodedFrame.timestamp);

  207. 

  208.             return crypto.subtle.encrypt({

  209.                 name: 'AES-GCM',

  210.                 iv,

  211.                 additionalData: new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type])

  212.             }, this._cryptoKeyRing[keyIndex], new Uint8Array(encodedFrame.data,

  213.                 unencryptedBytes[encodedFrame.type]))

  214.             .then(cipherText => {

  215.                 const newData = new ArrayBuffer(unencryptedBytes[encodedFrame.type] + cipherText.byteLength

  216.                     + iv.byteLength + 1);

  217.                 const newUint8 = new Uint8Array(newData);

  218. 

  219.                 newUint8.set(

  220.                     new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type])); // copy first bytes.

  221.                 newUint8.set(

  222.                     new Uint8Array(cipherText), unencryptedBytes[encodedFrame.type]); // add ciphertext.

  223.                 newUint8.set(

  224.                     new Uint8Array(iv), unencryptedBytes[encodedFrame.type] + cipherText.byteLength); // append IV.

  225.                 newUint8[unencryptedBytes[encodedFrame.type] + cipherText.byteLength + ivLength]

  226.                     = keyIndex; // set key index.

  227. 

  228.                 encodedFrame.data = newData;

  229. 

  230.                 return controller.enqueue(encodedFrame);

  231.             }, e => {

  232.                 console.error(e);

  233. 

  234.                 // We are not enqueuing the frame here on purpose.

  235.             });

  236.         }

  237. 

  238.         /* NOTE WELL:

  239.          * This will send unencrypted data (only protected by DTLS transport encryption) when no key is configured.

  240.          * This is ok for demo purposes but should not be done once this becomes more relied upon.

  241.          */

  242.         controller.enqueue(encodedFrame);

  243.     }

  244. 

  245.     /**

  246.      * Function that will be injected in a stream and will decrypt the given encoded frames.

  247.      *

  248.      * @param {RTCEncodedVideoFrame|RTCEncodedAudioFrame} encodedFrame - Encoded video frame.

  249.      * @param {TransformStreamDefaultController} controller - TransportStreamController.

  250.      *

  251.      * The decrypted frame is formed as follows:

  252.      * 1) Extract the key index from the last byte of the encrypted frame.

  253.      *    If there is no key associated with the key index, the frame is enqueued for decoding

  254.      *    and these steps terminate.

  255.      * 2) Determine the frame type in order to look up the number of unencrypted header bytes.

  256.      * 2) Extract the 12-byte IV from its position near the end of the packet.

  257.      *    Note: the IV is treated as opaque and not reconstructed from the input.

  258.      * 3) Decrypt the encrypted frame content after the unencrypted bytes using AES-GCM.

  259.      * 4) Allocate space for the decrypted frame.

  260.      * 5) Copy the unencrypted bytes from the start of the encrypted frame.

  261.      * 6) Append the plaintext to the decrypted frame.

  262.      * 7) Enqueue the decrypted frame for decoding.

  263.      */

  264.     decodeFunction(encodedFrame, controller) {

  265.         const data = new Uint8Array(encodedFrame.data);

  266.         const keyIndex = data[encodedFrame.data.byteLength - 1];

  267. 

  268.         if (this._cryptoKeyRing[keyIndex]) {

  269.             const iv = new Uint8Array(encodedFrame.data, encodedFrame.data.byteLength - ivLength - 1, ivLength);

  270.             const cipherTextStart = unencryptedBytes[encodedFrame.type];

  271.             const cipherTextLength = encodedFrame.data.byteLength - (unencryptedBytes[encodedFrame.type]

  272.                 + ivLength + 1);

  273. 

  274.             return crypto.subtle.decrypt({

  275.                 name: 'AES-GCM',

  276.                 iv,

  277.                 additionalData: new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type])

  278.             }, this._cryptoKeyRing[keyIndex], new Uint8Array(encodedFrame.data, cipherTextStart, cipherTextLength))

  279.             .then(plainText => {

  280.                 const newData = new ArrayBuffer(unencryptedBytes[encodedFrame.type] + plainText.byteLength);

  281.                 const newUint8 = new Uint8Array(newData);

  282. 

  283.                 newUint8.set(new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type]));

  284.                 newUint8.set(new Uint8Array(plainText), unencryptedBytes[encodedFrame.type]);

  285. 

  286.                 encodedFrame.data = newData;

  287. 

  288.                 return controller.enqueue(encodedFrame);

  289.             }, e => {

  290.                 console.error(e);

  291. 

  292.                 // TODO: notify the application about error status.

  293. 

  294.                 // TODO: For video we need a better strategy since we do not want to based any

  295.                 // non-error frames on a garbage keyframe.

  296.                 if (encodedFrame.type === undefined) { // audio, replace with silence.

  297.                     // audio, replace with silence.

  298.                     const newData = new ArrayBuffer(3);

  299.                     const newUint8 = new Uint8Array(newData);

  300. 

  301.                     newUint8.set([ 0xd8, 0xff, 0xfe ]); // opus silence frame.

  302.                     encodedFrame.data = newData;

  303.                     controller.enqueue(encodedFrame);

  304.                 }

  305.             });

  306.         } else if (keyIndex >= this._cryptoKeyRing.length && this._cryptoKeyRing[this._currentKeyIndex]) {

  307.             // If we are encrypting but don't have a key for the remote drop the frame.

  308.             // This is a heuristic since we don't know whether a packet is encrypted,

  309.             // do not have a checksum and do not have signaling for whether a remote participant does

  310.             // encrypt or not.

  311.             return;

  312.         }

  313. 

  314.         // TODO: this just passes through to the decoder. Is that ok? If we don't know the key yet

  315.         // we might want to buffer a bit but it is still unclear how to do that (and for how long etc).

  316.         controller.enqueue(encodedFrame);

  317.     }

  318. }

  319. 

  320. const contexts = new Map(); // Map participant id => context

  321. 

  322. onmessage = async event => {

  323.     const { operation } = event.data;

  324. 

  325.     if (operation === 'initialize') {

  326.         _keySalt = event.data.salt;

  327.     } else if (operation === 'encode') {

  328.         const { readableStream, writableStream, participantId } = event.data;

  329. 

  330.         if (!contexts.has(participantId)) {

  331.             contexts.set(participantId, new Context(participantId));

  332.         }

  333.         const context = contexts.get(participantId);

  334.         const transformStream = new TransformStream({

  335.             transform: context.encodeFunction.bind(context)

  336.         });

  337. 

  338.         readableStream

  339.             .pipeThrough(new TransformStream({

  340.                 transform: polyFillEncodedFrameMetadata // M83 polyfill.

  341.             }))

  342.             .pipeThrough(transformStream)

  343.             .pipeTo(writableStream);

  344.     } else if (operation === 'decode') {

  345.         const { readableStream, writableStream, participantId } = event.data;

  346. 

  347.         if (!contexts.has(participantId)) {

  348.             contexts.set(participantId, new Context(participantId));

  349.         }

  350.         const context = contexts.get(participantId);

  351.         const transformStream = new TransformStream({

  352.             transform: context.decodeFunction.bind(context)

  353.         });

  354. 

  355.         readableStream

  356.             .pipeThrough(new TransformStream({

  357.                 transform: polyFillEncodedFrameMetadata // M83 polyfill.

  358.             }))

  359.             .pipeThrough(transformStream)

  360.             .pipeTo(writableStream);

  361.     } else if (operation === 'setKey') {

  362.         const { participantId, key, keyIndex } = event.data;

  363. 

  364.         if (!contexts.has(participantId)) {

  365.             contexts.set(participantId, new Context(participantId));

  366.         }

  367.         const context = contexts.get(participantId);

  368. 

  369.         if (key) {

  370.             context.setKey(await context.deriveKey(key, _keySalt), keyIndex);

  371.         } else {

  372.             context.setKey(false, keyIndex);

  373.         }

  374.     } else if (operation === 'cleanup') {

  375.         const { participantId } = event.data;

  376. 

  377.         contexts.delete(participantId);

  378.     } else {

  379.         console.error('e2ee worker', operation);

  380.     }

  381. };