e2ee: Ratchet the key forward on authentication tag errors

similar to what is explained here:
  https://tools.ietf.org/html/draft-omara-sframe-00#section-4.3.5.1
but we do it on authentication tag failures since it is not possible
to tell whether decrypt.

doc/e2ee.md

@@ -39,6 +39,14 @@ We do not encrypt the first few bytes of the packet that form the VP8 payload
 This allows the decoder to understand the frame a bit more and makes it decode the fun looking garbage we see in the video.
 This also means the SFU does not know (ideally) that the content is end-to-end encrypted and there are no changes in the SFU required at all.
 
+## Key Ratcheting
+Unlike described in
+  https://tools.ietf.org/html/draft-omara-sframe-00#section-4.3.5.1
+we attempt to ratchet the key forward when we do not find a valid
+authentication tag. Note that we only update the set of keys when
+we find a valid signature which avoids a denial of service attack with invalid signatures.
+
+TODO: if a frame ratchets the key forward it should be signed with the senders private key.
 
 ## Using workers
 

modules/e2ee/E2EEContext.js

@@ -148,4 +148,15 @@ export default class E2EEcontext {
             keyIndex
         });
     }
+
+    /**
+     * Ratchet our own key.
+     * @param {string} participantId - the ID of the participant who's key we should ratchet.
+     */
+    ratchet(participantId) {
+        this._worker.postMessage({
+            operation: 'ratchet',
+            participantId
+        });
+    }
 }

modules/e2ee/E2EEncryption.js

@@ -169,7 +169,7 @@ export class E2EEncryption {
     }
 
     /**
-     * Advances (using ratcheting) the current key whern a new participant joins the conference.
+     * Advances (using ratcheting) the current key when a new participant joins the conference.
      * @private
      */
     _onParticipantJoined(id) {
@@ -195,7 +195,7 @@ export class E2EEncryption {
     }
 
     /**
-     * Event posted when the E2EE signalling channel has been establioshed with the given participant.
+     * Event posted when the E2EE signalling channel has been established with the given participant.
      * @private
      */
     _onParticipantE2EEChannelReady(id) {
@@ -218,15 +218,16 @@ export class E2EEncryption {
 
     /**
      * Advances the current key by using ratcheting.
-     * TODO: not yet implemented, we are just rotating the key at the moment,
-     * which is a heavier operation.
      *
      * @private
      */
     async _ratchetKeyImpl() {
         logger.debug('Ratchetting key');
 
-        return this._rotateKey();
+        this._e2eeCtx.ratchet(this.conference.myUserId());
+
+        // TODO: how do we tell the olm adapter which might need to send the current ratchet key
+        //      to the other side?
     }
 
     /**

modules/e2ee/Worker.js

@@ -70,18 +70,17 @@ const digestLength = {
     undefined: 4 // frame.type is not set on audio
 };
 
+// Maximum number of forward ratchets to attempt when the authentication
+// tag on a remote packet does not match the current key.
+const ratchetWindow = 8;
+
 /**
  * Derives a set of keys from the master key.
- * @param {Uint8Array} keyBytes - Value to derive key from
- * @param {Uint8Array} salt - Salt used in key derivation
+ * @param {CryptoKey} material - master key to derive from
  *
  * See https://tools.ietf.org/html/draft-omara-sframe-00#section-4.3.1
  */
-async function deriveKeys(keyBytes) {
-    // https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey
-    const material = await crypto.subtle.importKey('raw', keyBytes,
-        'HKDF', false, [ 'deriveBits', 'deriveKey' ]);
-
+async function deriveKeys(material) {
     const info = new ArrayBuffer();
     const textEncoder = new TextEncoder();
 
@@ -113,12 +112,30 @@ async function deriveKeys(keyBytes) {
     }, material, 128);
 
     return {
+        material,
         encryptionKey,
         authenticationKey,
         saltKey
     };
 }
 
+/**
+ * Ratchets a key. See
+ * https://tools.ietf.org/html/draft-omara-sframe-00#section-4.3.5.1
+ * @param {CryptoKey} material - base key material
+ * @returns {ArrayBuffer} - ratcheted key material
+ */
+async function ratchet(material) {
+    const textEncoder = new TextEncoder();
+
+    return crypto.subtle.deriveBits({
+        name: 'HKDF',
+        salt: textEncoder.encode('JFrameRatchetKey'),
+        hash: 'SHA-256',
+        info: new ArrayBuffer()
+    }, material, 256);
+}
+
 
 /**
  * Per-participant context holding the cryptographic keys and
@@ -144,21 +161,47 @@ class Context {
     }
 
     /**
-     * Sets a key, derives the different subkeys and starts using them for encryption or
+     * Derives the different subkeys and starts using them for encryption or
      * decryption.
-     * @param {CryptoKey} key
+     * @param {Uint8Array|false} key bytes. Pass false to disable.
      * @param {Number} keyIndex
      */
-    async setKey(key, keyIndex) {
-        this._currentKeyIndex = keyIndex % this._cryptoKeyRing.length;
-        if (key) {
-            this._cryptoKeyRing[this._currentKeyIndex] = await deriveKeys(key);
+    async setKey(keyBytes, keyIndex) {
+        let newKey;
+
+        if (keyBytes) {
+            // https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey
+            const material = await crypto.subtle.importKey('raw', keyBytes,
+                'HKDF', false, [ 'deriveBits', 'deriveKey' ]);
+
+            newKey = await deriveKeys(material);
         } else {
-            this._cryptoKeyRing[this._currentKeyIndex] = false;
+            newKey = false;
         }
+        this._currentKeyIndex = keyIndex % this._cryptoKeyRing.length;
+        this._setKeys(newKey);
+    }
+
+    /**
+     * Sets a set of keys and resets the sendCount.
+     * decryption.
+     * @param {Object} keys set of keys.
+     */
+    _setKeys(keys) {
+        this._cryptoKeyRing[this._currentKeyIndex] = keys;
         this._sendCount = 0n; // Reset the send count (bigint).
     }
 
+    /**
+     * Ratchets a key forward one step.
+     */
+    async ratchet() {
+        const keys = this._cryptoKeyRing[this._currentKeyIndex];
+        const material = await ratchet(keys.material);
+
+        this.setKey(material, this._currentKeyIndex);
+    }
+
     /**
      * Function that will be injected in a stream and will encrypt the given encoded frames.
      *
@@ -292,16 +335,38 @@ class Context {
 
             data.set(zeros, encodedFrame.data.byteLength - (digestLength[encodedFrame.type] + counterLength + 1));
 
-            const calculatedTag = await crypto.subtle.sign(authenticationTagOptions,
-                this._cryptoKeyRing[keyIndex].authenticationKey, encodedFrame.data);
+            // Do truncated hash comparison. If the hash does not match we might have to advance the
+            // ratchet a limited number of times. See (even though the description there is odd)
+            // https://tools.ietf.org/html/draft-omara-sframe-00#section-4.3.5.1
+            let { authenticationKey, material } = this._cryptoKeyRing[keyIndex];
+            let valid = false;
+            let newKeys = null;
+
+            for (let distance = 0; distance < ratchetWindow; distance++) {
+                const calculatedTag = await crypto.subtle.sign(authenticationTagOptions,
+                    authenticationKey, encodedFrame.data);
+
+                if (isArrayEqual(new Uint8Array(authTag),
+                        new Uint8Array(calculatedTag.slice(0, digestLength[encodedFrame.type])))) {
+                    valid = true;
+                    if (distance > 0) {
+                        this._setKeys(newKeys);
+                    }
+                    break;
+                }
+
+                // Attempt to ratchet and generate the next set of keys.
+                material = await crypto.subtle.importKey('raw', await ratchet(material),
+                    'HKDF', false, [ 'deriveBits', 'deriveKey' ]);
+                newKeys = await deriveKeys(material);
+                authenticationKey = newKeys.authenticationKey;
+            }
+
+            // Check whether we found a valid signature.
+            if (!valid) {
+                // TODO: return an error to the app.
 
-            // Do truncated hash comparison.
-            if (!isArrayEqual(new Uint8Array(authTag),
-                    new Uint8Array(calculatedTag.slice(0, digestLength[encodedFrame.type])))) {
-                // TODO: at this point we need to ratchet until we get a key that works. If we ratchet too often
-                // we need to return an error to the app.
-                console.error('Authentication tag mismatch', new Uint8Array(authTag), new Uint8Array(calculatedTag,
-                    0, digestLength[encodedFrame.type]));
+                console.error('Authentication tag mismatch');
 
                 return;
             }
@@ -419,6 +484,19 @@ onmessage = async event => {
         } else {
             context.setKey(false, keyIndex);
         }
+    } else if (operation === 'ratchet') {
+        const { participantId } = event.data;
+
+        // TODO: can we ensure this is for our own sender key?
+
+        if (!contexts.has(participantId)) {
+            console.error('Could not find context for', participantId);
+
+            return;
+        }
+        const context = contexts.get(participantId);
+
+        context.ratchet();
     } else if (operation === 'cleanup') {
         const { participantId } = event.data;