jfinn
/
lib-jitsi-meet
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2205 Commits
1 Branch
Tree: c3fd3431a6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c3fd3431a6'
${ noResults }
lib-jitsi-meet/modules/e2ee/E2EEContext.js

E2EEContext.js 16KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357 
  1. /* global __filename, TransformStream */

  2. 

  3. import { getLogger } from 'jitsi-meet-logger';

  4. 

  5. const logger = getLogger(__filename);

  6. 

  7. // We use a ringbuffer of keys so we can change them and still decode packets that were

  8. // encrypted with an old key.

  9. // In the future when we dont rely on a globally shared key we will actually use it. For

  10. // now set the size to 1 which means there is only a single key. This causes some

  11. // glitches when changing the key but its ok.

  12. const keyRingSize = 1;

  13. 

  14. // We use a 96 bit IV for AES GCM. This is signalled in plain together with the

  15. // packet. See https://developer.mozilla.org/en-US/docs/Web/API/AesGcmParams

  16. const ivLength = 12;

  17. 

  18. // We copy the first bytes of the VP8 payload unencrypted.

  19. // For keyframes this is 10 bytes, for non-keyframes (delta) 3. See

  20. //   https://tools.ietf.org/html/rfc6386#section-9.1

  21. // This allows the bridge to continue detecting keyframes (only one byte needed in the JVB)

  22. // and is also a bit easier for the VP8 decoder (i.e. it generates funny garbage pictures

  23. // instead of being unable to decode).

  24. // This is a bit for show and we might want to reduce to 1 unconditionally in the final version.

  25. //

  26. // For audio (where frame.type is not set) we do not encrypt the opus TOC byte:

  27. //   https://tools.ietf.org/html/rfc6716#section-3.1

  28. const unencryptedBytes = {

  29.     key: 10,

  30.     delta: 3,

  31.     undefined: 1 // frame.type is not set on audio

  32. };

  33. 

  34. // Flag to set on senders / receivers to avoid setting up the encryption transform

  35. // more than once.

  36. const kJitsiE2EE = Symbol('kJitsiE2EE');

  37. 

  38. /**

  39.  * Context encapsulating the cryptography bits required for E2EE.

  40.  * This uses the WebRTC Insertable Streams API which is explained in

  41.  *   https://github.com/alvestrand/webrtc-media-streams/blob/master/explainer.md

  42.  * that provides access to the encoded frames and allows them to be transformed.

  43.  *

  44.  * The encoded frame format is explained below in the _encodeFunction method.

  45.  * High level design goals were:.

  46.  * - do not require changes to existing SFUs and retain (VP8) metadata.

  47.  * - allow the SFU to rewrite SSRCs, timestamp, pictureId.

  48.  * - allow for the key to be rotated frequently.

  49.  */

  50. export default class E2EEcontext {

  51. 

  52.     /**

  53.      * Build a new E2EE context instance, which will be used in a given conference.

  54.      *

  55.      * @param {string} options.salt - Salt to be used for key deviation.

  56.      *      FIXME: We currently use the MUC room name for this which has the same lifetime

  57.      *      as this context. While not (pseudo)random as recommended in

  58.      *        https://developer.mozilla.org/en-US/docs/Web/API/Pbkdf2Params

  59.      *      this is easily available and the same for all participants.

  60.      *      We currently do not enforce a minimum length of 16 bytes either.

  61.      */

  62.     constructor(options) {

  63.         this._options = options;

  64. 

  65.         // An array (ring) of keys that we use for sending and receiving.

  66.         this._cryptoKeyRing = new Array(keyRingSize);

  67. 

  68.         // A pointer to the currently used key.

  69.         this._currentKeyIndex = -1;

  70. 

  71.         // We keep track of how many frames we have sent per ssrc.

  72.         // Starts with a random offset similar to the RTP sequence number.

  73.         this._sendCounts = new Map();

  74. 

  75.         // Initialize the salt and convert it once.

  76.         const encoder = new TextEncoder();

  77. 

  78.         this._salt = encoder.encode(options.salt);

  79.     }

  80. 

  81.     /**

  82.      * Handles the given {@code RTCRtpReceiver} by creating a {@code TransformStream} which will injecct

  83.      * a frame decoder.

  84.      *

  85.      * @param {RTCRtpReceiver} receiver - The receiver which will get the decoding function injected.

  86.      * @param {string} kind - The kind of track this receiver belongs to.

  87.      */

  88.     handleReceiver(receiver, kind) {

  89.         if (receiver[kJitsiE2EE]) {

  90.             return;

  91.         }

  92. 

  93.         const receiverStreams

  94.             = kind === 'video' ? receiver.createEncodedVideoStreams() : receiver.createEncodedAudioStreams();

  95.         const transform = new TransformStream({

  96.             transform: this._decodeFunction.bind(this)

  97.         });

  98. 

  99.         receiverStreams.readableStream

  100.             .pipeThrough(transform)

  101.             .pipeTo(receiverStreams.writableStream);

  102. 

  103.         receiver[kJitsiE2EE] = true;

  104.     }

  105. 

  106.     /**

  107.      * Handles the given {@code RTCRtpSender} by creating a {@code TransformStream} which will injecct

  108.      * a frame encoder.

  109.      *

  110.      * @param {RTCRtpSender} sender - The sender which will get the encoding funcction injected.

  111.      * @param {string} kind - The kind of track this sender belongs to.

  112.      */

  113.     handleSender(sender, kind) {

  114.         if (sender[kJitsiE2EE]) {

  115.             return;

  116.         }

  117. 

  118.         const senderStreams

  119.             = kind === 'video' ? sender.createEncodedVideoStreams() : sender.createEncodedAudioStreams();

  120.         const transform = new TransformStream({

  121.             transform: this._encodeFunction.bind(this)

  122.         });

  123. 

  124.         senderStreams.readableStream

  125.             .pipeThrough(transform)

  126.             .pipeTo(senderStreams.writableStream);

  127. 

  128.         sender[kJitsiE2EE] = true;

  129.     }

  130. 

  131.     /**

  132.      * Sets the key to be used for E2EE.

  133.      *

  134.      * @param {string} value - Value to be used as the new key. May be falsy to disable end-to-end encryption.

  135.      */

  136.     async setKey(value) {

  137.         let key;

  138. 

  139.         if (value) {

  140.             const encoder = new TextEncoder();

  141. 

  142.             key = await this._deriveKey(encoder.encode(value));

  143.         } else {

  144.             key = false;

  145.         }

  146.         this._currentKeyIndex++;

  147.         this._cryptoKeyRing[this._currentKeyIndex % this._cryptoKeyRing.length] = key;

  148.     }

  149. 

  150.     /**

  151.      * Derives a AES-GCM key with 128 bits from the input using PBKDF2

  152.      * The salt is configured in the constructor of this class.

  153.      * @param {Uint8Array} keyBytes - Value to derive key from

  154.      */

  155.     async _deriveKey(keyBytes) {

  156.         // https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey

  157.         const material = await crypto.subtle.importKey('raw', keyBytes,

  158.             'PBKDF2', false, [ 'deriveBits', 'deriveKey' ]);

  159. 

  160.         // https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/deriveKey#PBKDF2

  161.         return crypto.subtle.deriveKey({

  162.             name: 'PBKDF2',

  163.             salt: this._salt,

  164.             iterations: 100000,

  165.             hash: 'SHA-256'

  166.         }, material, {

  167.             name: 'AES-GCM',

  168.             length: 128

  169.         }, false, [ 'encrypt', 'decrypt' ]);

  170.     }

  171. 

  172.     /**

  173.      * Construct the IV used for AES-GCM and sent (in plain) with the packet similar to

  174.      * https://tools.ietf.org/html/rfc7714#section-8.1

  175.      * It concatenates

  176.      * - the 32 bit synchronization source (SSRC) given on the encoded frame,

  177.      * - the 32 bit rtp timestamp given on the encoded frame,

  178.      * - a send counter that is specific to the SSRC. Starts at a random number.

  179.      * The send counter is essentially the pictureId but we currently have to implement this ourselves.

  180.      * There is no XOR with a salt. Note that this IV leaks the SSRC to the receiver but since this is

  181.      * randomly generated and SFUs may not rewrite this is considered acceptable.

  182.      * The SSRC is used to allow demultiplexing multiple streams with the same key, as described in

  183.      *   https://tools.ietf.org/html/rfc3711#section-4.1.1

  184.      * The RTP timestamp is 32 bits and advances by the codec clock rate (90khz for video, 48khz for

  185.      * opus audio) every second. For video it rolls over roughly every 13 hours.

  186.      * The send counter will advance at the frame rate (30fps for video, 50fps for 20ms opus audio)

  187.      * every second. It will take a long time to roll over.

  188.      *

  189.      * See also https://developer.mozilla.org/en-US/docs/Web/API/AesGcmParams

  190.      */

  191.     _makeIV(synchronizationSource, timestamp) {

  192.         const iv = new ArrayBuffer(ivLength);

  193.         const ivView = new DataView(iv);

  194. 

  195.         // having to keep our own send count (similar to a picture id) is not ideal.

  196.         if (!this._sendCounts.has(synchronizationSource)) {

  197.             // Initialize with a random offset, similar to the RTP sequence number.

  198.             this._sendCounts.set(synchronizationSource, Math.floor(Math.random() * 0xFFFF));

  199.         }

  200.         const sendCount = this._sendCounts.get(synchronizationSource);

  201. 

  202.         ivView.setUint32(0, synchronizationSource);

  203.         ivView.setUint32(4, timestamp);

  204.         ivView.setUint32(8, sendCount % 0xFFFF);

  205. 

  206.         this._sendCounts.set(synchronizationSource, sendCount + 1);

  207. 

  208.         return iv;

  209.     }

  210. 

  211.     /**

  212.      * Function that will be injected in a stream and will encrypt the given encoded frames.

  213.      *

  214.      * @param {RTCEncodedVideoFrame|RTCEncodedAudioFrame} encodedFrame - Encoded video frame.

  215.      * @param {TransformStreamDefaultController} controller - TransportStreamController.

  216.      *

  217.      * The packet format is described below. One of the design goals was to not require

  218.      * changes to the SFU which for video requires not encrypting the keyframe bit of VP8

  219.      * as SFUs need to detect a keyframe (framemarking or the generic frame descriptor will

  220.      * solve this eventually). This also "hides" that a client is using E2EE a bit.

  221.      *

  222.      * Note that this operates on the full frame, i.e. for VP8 the data described in

  223.      *   https://tools.ietf.org/html/rfc6386#section-9.1

  224.      *

  225.      * The VP8 payload descriptor described in

  226.      *   https://tools.ietf.org/html/rfc7741#section-4.2

  227.      * is part of the RTP packet and not part of the frame and is not controllable by us.

  228.      * This is fine as the SFU keeps having access to it for routing.

  229.      *

  230.      * The encrypted frame is formed as follows:

  231.      * 1) Leave the first (10, 3, 1) bytes unencrypted, depending on the frame type and kind.

  232.      * 2) Form the GCM IV for the frame as described above.

  233.      * 3) Encrypt the rest of the frame using AES-GCM.

  234.      * 4) Allocate space for the encrypted frame.

  235.      * 5) Copy the unencrypted bytes to the start of the encrypted frame.

  236.      * 6) Append the ciphertext to the encrypted frame.

  237.      * 7) Append the IV.

  238.      * 8) Append a single byte for the key identifier. TODO: we don't need all the bits.

  239.      * 9) Enqueue the encrypted frame for sending.

  240.      */

  241.     _encodeFunction(encodedFrame, controller) {

  242.         const keyIndex = this._currentKeyIndex % this._cryptoKeyRing.length;

  243. 

  244.         if (this._cryptoKeyRing[keyIndex]) {

  245.             const iv = this._makeIV(encodedFrame.synchronizationSource, encodedFrame.timestamp);

  246. 

  247.             return crypto.subtle.encrypt({

  248.                 name: 'AES-GCM',

  249.                 iv,

  250.                 additionalData: new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type])

  251.             }, this._cryptoKeyRing[keyIndex], new Uint8Array(encodedFrame.data, unencryptedBytes[encodedFrame.type]))

  252.             .then(cipherText => {

  253.                 const newData = new ArrayBuffer(unencryptedBytes[encodedFrame.type] + cipherText.byteLength

  254.                     + iv.byteLength + 1);

  255.                 const newUint8 = new Uint8Array(newData);

  256. 

  257.                 newUint8.set(

  258.                     new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type])); // copy first bytes.

  259.                 newUint8.set(

  260.                     new Uint8Array(cipherText), unencryptedBytes[encodedFrame.type]); // add ciphertext.

  261.                 newUint8.set(

  262.                     new Uint8Array(iv), unencryptedBytes[encodedFrame.type] + cipherText.byteLength); // append IV.

  263.                 newUint8[unencryptedBytes[encodedFrame.type] + cipherText.byteLength + ivLength]

  264.                     = keyIndex; // set key index.

  265. 

  266.                 encodedFrame.data = newData;

  267. 

  268.                 return controller.enqueue(encodedFrame);

  269.             }, e => {

  270.                 logger.error(e);

  271. 

  272.                 // We are not enqueuing the frame here on purpose.

  273.             });

  274.         }

  275. 

  276.         /* NOTE WELL:

  277.          * This will send unencrypted data (only protected by DTLS transport encryption) when no key is configured.

  278.          * This is ok for demo purposes but should not be done once this becomes more relied upon.

  279.          */

  280.         controller.enqueue(encodedFrame);

  281.     }

  282. 

  283.     /**

  284.      * Function that will be injected in a stream and will decrypt the given encoded frames.

  285.      *

  286.      * @param {RTCEncodedVideoFrame|RTCEncodedAudioFrame} encodedFrame - Encoded video frame.

  287.      * @param {TransformStreamDefaultController} controller - TransportStreamController.

  288.      *

  289.      * The decrypted frame is formed as follows:

  290.      * 1) Extract the key index from the last byte of the encrypted frame.

  291.      *    If there is no key associated with the key index, the frame is enqueued for decoding

  292.      *    and these steps terminate.

  293.      * 2) Determine the frame type in order to look up the number of unencrypted header bytes.

  294.      * 2) Extract the 12-byte IV from its position near the end of the packet.

  295.      *    Note: the IV is treated as opaque and not reconstructed from the input.

  296.      * 3) Decrypt the encrypted frame content after the unencrypted bytes using AES-GCM.

  297.      * 4) Allocate space for the decrypted frame.

  298.      * 5) Copy the unencrypted bytes from the start of the encrypted frame.

  299.      * 6) Append the plaintext to the decrypted frame.

  300.      * 7) Enqueue the decrypted frame for decoding.

  301.      */

  302.     _decodeFunction(encodedFrame, controller) {

  303.         const data = new Uint8Array(encodedFrame.data);

  304.         const keyIndex = data[encodedFrame.data.byteLength - 1];

  305. 

  306.         if (this._cryptoKeyRing[keyIndex]) {

  307.             const iv = new Uint8Array(encodedFrame.data, encodedFrame.data.byteLength - ivLength - 1, ivLength);

  308.             const cipherTextStart = unencryptedBytes[encodedFrame.type];

  309.             const cipherTextLength = encodedFrame.data.byteLength - (unencryptedBytes[encodedFrame.type]

  310.                 + ivLength + 1);

  311. 

  312.             return crypto.subtle.decrypt({

  313.                 name: 'AES-GCM',

  314.                 iv,

  315.                 additionalData: new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type])

  316.             }, this._cryptoKeyRing[keyIndex], new Uint8Array(encodedFrame.data, cipherTextStart, cipherTextLength))

  317.             .then(plainText => {

  318.                 const newData = new ArrayBuffer(unencryptedBytes[encodedFrame.type] + plainText.byteLength);

  319.                 const newUint8 = new Uint8Array(newData);

  320. 

  321.                 newUint8.set(new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type]));

  322.                 newUint8.set(new Uint8Array(plainText), unencryptedBytes[encodedFrame.type]);

  323. 

  324.                 encodedFrame.data = newData;

  325. 

  326.                 return controller.enqueue(encodedFrame);

  327.             }, e => {

  328.                 logger.error(e);

  329.                 if (encodedFrame.type === undefined) { // audio, replace with silence.

  330.                     const newData = new ArrayBuffer(3);

  331.                     const newUint8 = new Uint8Array(newData);

  332. 

  333.                     newUint8.set([ 0xd8, 0xff, 0xfe ]); // opus silence frame.

  334.                     encodedFrame.data = newData;

  335.                 } else { // video, replace with a 320x180px black frame

  336.                     const newData = new ArrayBuffer(60);

  337.                     const newUint8 = new Uint8Array(newData);

  338. 

  339.                     newUint8.set([

  340.                         0xb0, 0x05, 0x00, 0x9d, 0x01, 0x2a, 0xa0, 0x00, 0x5a, 0x00, 0x39, 0x03, 0x00, 0x00, 0x1c, 0x22,

  341.                         0x16, 0x16, 0x22, 0x66, 0x12, 0x20, 0x04, 0x90, 0x40, 0x00, 0xc5, 0x01, 0xe0, 0x7c, 0x4d, 0x2f,

  342.                         0xfa, 0xdd, 0x4d, 0xa5, 0x7f, 0x89, 0xa5, 0xff, 0x5b, 0xa9, 0xb4, 0xaf, 0xf1, 0x34, 0xbf, 0xeb,

  343.                         0x75, 0x36, 0x95, 0xfe, 0x26, 0x96, 0x60, 0xfe, 0xff, 0xba, 0xff, 0x40

  344.                     ]);

  345.                     encodedFrame.data = newData;

  346.                 }

  347. 

  348.                 // TODO: notify the application about error status.

  349.                 controller.enqueue(encodedFrame);

  350.             });

  351.         }

  352. 

  353.         // TODO: this just passes through to the decoder. Is that ok? If we don't know the key yet

  354.         // we might want to buffer a bit but it is still unclear how to do that (and for how long etc).

  355.         controller.enqueue(encodedFrame);

  356.     }

  357. }