jfinn
/
ljm_j1
ウォッチ 1
スター 0
フォーク 0
コード 課題 0 プルリクエスト 0 リリース 0 Wiki アクティビティ
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
2400 コミット
3 ブランチ
ツリー: 00c8cfad98
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'00c8cfad98' から
${ noResults }
ljm_j1/modules/e2ee/Context.js

Context.js 14KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325 
  1. /* eslint-disable no-bitwise */

  2. /* global BigInt */

  3. 

  4. import { deriveKeys, importKey, ratchet } from './crypto-utils';

  5. import { isArrayEqual } from './utils';

  6. 

  7. // We use a ringbuffer of keys so we can change them and still decode packets that were

  8. // encrypted with an old key. We use a size of 16 which corresponds to the four bits

  9. // in the frame trailer.

  10. const keyRingSize = 16;

  11. 

  12. // We copy the first bytes of the VP8 payload unencrypted.

  13. // For keyframes this is 10 bytes, for non-keyframes (delta) 3. See

  14. //   https://tools.ietf.org/html/rfc6386#section-9.1

  15. // This allows the bridge to continue detecting keyframes (only one byte needed in the JVB)

  16. // and is also a bit easier for the VP8 decoder (i.e. it generates funny garbage pictures

  17. // instead of being unable to decode).

  18. // This is a bit for show and we might want to reduce to 1 unconditionally in the final version.

  19. //

  20. // For audio (where frame.type is not set) we do not encrypt the opus TOC byte:

  21. //   https://tools.ietf.org/html/rfc6716#section-3.1

  22. const unencryptedBytes = {

  23.     key: 10,

  24.     delta: 3,

  25.     undefined: 1 // frame.type is not set on audio

  26. };

  27. 

  28. // Use truncated SHA-256 hashes, 80 bіts for video, 32 bits for audio.

  29. // This follows the same principles as DTLS-SRTP.

  30. const authenticationTagOptions = {

  31.     name: 'HMAC',

  32.     hash: 'SHA-256'

  33. };

  34. const digestLength = {

  35.     key: 10,

  36.     delta: 10,

  37.     undefined: 4 // frame.type is not set on audio

  38. };

  39. 

  40. // Maximum number of forward ratchets to attempt when the authentication

  41. // tag on a remote packet does not match the current key.

  42. const ratchetWindow = 8;

  43. 

  44. /**

  45.  * Per-participant context holding the cryptographic keys and

  46.  * encode/decode functions

  47.  */

  48. export class Context {

  49.     /**

  50.      * @param {string} id - local muc resourcepart

  51.      */

  52.     constructor(id) {

  53.         // An array (ring) of keys that we use for sending and receiving.

  54.         this._cryptoKeyRing = new Array(keyRingSize);

  55. 

  56.         // A pointer to the currently used key.

  57.         this._currentKeyIndex = -1;

  58. 

  59.         // A per-sender counter that is used create the AES CTR.

  60.         // Must be incremented on every frame that is sent, can be reset on

  61.         // key changes.

  62.         this._sendCount = BigInt(0); // eslint-disable-line new-cap

  63. 

  64.         this._id = id;

  65.     }

  66. 

  67.     /**

  68.      * Derives the different subkeys and starts using them for encryption or

  69.      * decryption.

  70.      * @param {Uint8Array|false} key bytes. Pass false to disable.

  71.      * @param {Number} keyIndex

  72.      */

  73.     async setKey(keyBytes, keyIndex) {

  74.         let newKey;

  75. 

  76.         if (keyBytes) {

  77.             const material = await importKey(keyBytes);

  78. 

  79.             newKey = await deriveKeys(material);

  80.         } else {

  81.             newKey = false;

  82.         }

  83.         this._currentKeyIndex = keyIndex % this._cryptoKeyRing.length;

  84.         this._setKeys(newKey);

  85.     }

  86. 

  87.     /**

  88.      * Sets a set of keys and resets the sendCount.

  89.      * decryption.

  90.      * @param {Object} keys set of keys.

  91.      * @private

  92.      */

  93.     _setKeys(keys) {

  94.         this._cryptoKeyRing[this._currentKeyIndex] = keys;

  95.         this._sendCount = BigInt(0); // eslint-disable-line new-cap

  96.     }

  97. 

  98.     /**

  99.      * Function that will be injected in a stream and will encrypt the given encoded frames.

  100.      *

  101.      * @param {RTCEncodedVideoFrame|RTCEncodedAudioFrame} encodedFrame - Encoded video frame.

  102.      * @param {TransformStreamDefaultController} controller - TransportStreamController.

  103.      *

  104.      * The packet format is a variant of

  105.      *   https://tools.ietf.org/html/draft-omara-sframe-00

  106.      * using a trailer instead of a header. One of the design goals was to not require

  107.      * changes to the SFU which for video requires not encrypting the keyframe bit of VP8

  108.      * as SFUs need to detect a keyframe (framemarking or the generic frame descriptor will

  109.      * solve this eventually). This also "hides" that a client is using E2EE a bit.

  110.      *

  111.      * Note that this operates on the full frame, i.e. for VP8 the data described in

  112.      *   https://tools.ietf.org/html/rfc6386#section-9.1

  113.      *

  114.      * The VP8 payload descriptor described in

  115.      *   https://tools.ietf.org/html/rfc7741#section-4.2

  116.      * is part of the RTP packet and not part of the encoded frame and is therefore not

  117.      * controllable by us. This is fine as the SFU keeps having access to it for routing.

  118.      */

  119.     encodeFunction(encodedFrame, controller) {

  120.         const keyIndex = this._currentKeyIndex;

  121. 

  122.         if (this._cryptoKeyRing[keyIndex]) {

  123.             this._sendCount++;

  124. 

  125.             // Thіs is not encrypted and contains the VP8 payload descriptor or the Opus TOC byte.

  126.             const frameHeader = new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type]);

  127. 

  128.             // Construct frame trailer. Similar to the frame header described in

  129.             // https://tools.ietf.org/html/draft-omara-sframe-00#section-4.2

  130.             // but we put it at the end.

  131.             //                                             0 1 2 3 4 5 6 7

  132.             // ---------+---------------------------------+-+-+-+-+-+-+-+-+

  133.             // payload  |    CTR... (length=LEN)          |S|LEN  |KID    |

  134.             // ---------+---------------------------------+-+-+-+-+-+-+-+-+

  135.             const counter = new Uint8Array(16);

  136.             const counterView = new DataView(counter.buffer);

  137. 

  138.             // The counter is encoded as a variable-length field.

  139.             counterView.setBigUint64(8, this._sendCount);

  140.             let counterLength = 8;

  141. 

  142.             for (let i = 8; i < counter.byteLength; i++ && counterLength--) {

  143.                 if (counterView.getUint8(i) !== 0) {

  144.                     break;

  145.                 }

  146.             }

  147. 

  148.             const frameTrailer = new Uint8Array(counterLength + 1);

  149. 

  150.             frameTrailer.set(new Uint8Array(counter.buffer, counter.byteLength - counterLength));

  151. 

  152.             // Since we never send a counter of 0 we send counterLength - 1 on the wire.

  153.             // This is different from the sframe draft, increases the key space and lets us

  154.             // ignore the case of a zero-length counter at the receiver.

  155.             frameTrailer[frameTrailer.byteLength - 1] = keyIndex | ((counterLength - 1) << 4);

  156. 

  157.             // XOR the counter with the saltKey to construct the AES CTR.

  158.             const saltKey = new DataView(this._cryptoKeyRing[keyIndex].saltKey);

  159. 

  160.             for (let i = 0; i < counter.byteLength; i++) {

  161.                 counterView.setUint8(i, counterView.getUint8(i) ^ saltKey.getUint8(i));

  162.             }

  163. 

  164.             return crypto.subtle.encrypt({

  165.                 name: 'AES-CTR',

  166.                 counter,

  167.                 length: 64

  168.             }, this._cryptoKeyRing[keyIndex].encryptionKey, new Uint8Array(encodedFrame.data,

  169.                 unencryptedBytes[encodedFrame.type]))

  170.             .then(cipherText => {

  171.                 const newData = new ArrayBuffer(frameHeader.byteLength + cipherText.byteLength

  172.                     + digestLength[encodedFrame.type] + frameTrailer.byteLength);

  173.                 const newUint8 = new Uint8Array(newData);

  174. 

  175.                 newUint8.set(frameHeader); // copy first bytes.

  176.                 newUint8.set(new Uint8Array(cipherText), unencryptedBytes[encodedFrame.type]); // add ciphertext.

  177.                 // Leave some space for the authentication tag. This is filled with 0s initially, similar to

  178.                 // STUN message-integrity described in https://tools.ietf.org/html/rfc5389#section-15.4

  179.                 newUint8.set(frameTrailer, frameHeader.byteLength + cipherText.byteLength

  180.                     + digestLength[encodedFrame.type]); // append trailer.

  181. 

  182.                 return crypto.subtle.sign(authenticationTagOptions, this._cryptoKeyRing[keyIndex].authenticationKey,

  183.                     new Uint8Array(newData)).then(authTag => {

  184.                     // Set the truncated authentication tag.

  185.                     newUint8.set(new Uint8Array(authTag, 0, digestLength[encodedFrame.type]),

  186.                         unencryptedBytes[encodedFrame.type] + cipherText.byteLength);

  187.                     encodedFrame.data = newData;

  188. 

  189.                     return controller.enqueue(encodedFrame);

  190.                 });

  191.             }, e => {

  192.                 // TODO: surface this to the app.

  193.                 console.error(e);

  194. 

  195.                 // We are not enqueuing the frame here on purpose.

  196.             });

  197.         }

  198. 

  199.         /* NOTE WELL:

  200.          * This will send unencrypted data (only protected by DTLS transport encryption) when no key is configured.

  201.          * This is ok for demo purposes but should not be done once this becomes more relied upon.

  202.          */

  203.         controller.enqueue(encodedFrame);

  204.     }

  205. 

  206.     /**

  207.      * Function that will be injected in a stream and will decrypt the given encoded frames.

  208.      *

  209.      * @param {RTCEncodedVideoFrame|RTCEncodedAudioFrame} encodedFrame - Encoded video frame.

  210.      * @param {TransformStreamDefaultController} controller - TransportStreamController.

  211.      */

  212.     async decodeFunction(encodedFrame, controller) {

  213.         const data = new Uint8Array(encodedFrame.data);

  214.         const keyIndex = data[encodedFrame.data.byteLength - 1] & 0xf; // lower four bits.

  215. 

  216.         if (this._cryptoKeyRing[keyIndex]) {

  217.             const counterLength = 1 + ((data[encodedFrame.data.byteLength - 1] >> 4) & 0x7);

  218.             const frameHeader = new Uint8Array(encodedFrame.data, 0, unencryptedBytes[encodedFrame.type]);

  219. 

  220.             // Extract the truncated authentication tag.

  221.             const authTagOffset = encodedFrame.data.byteLength - (digestLength[encodedFrame.type]

  222.                 + counterLength + 1);

  223.             const authTag = encodedFrame.data.slice(authTagOffset, authTagOffset

  224.                 + digestLength[encodedFrame.type]);

  225. 

  226.             // Set authentication tag bytes to 0.

  227.             const zeros = new Uint8Array(digestLength[encodedFrame.type]);

  228. 

  229.             data.set(zeros, encodedFrame.data.byteLength - (digestLength[encodedFrame.type] + counterLength + 1));

  230. 

  231.             // Do truncated hash comparison. If the hash does not match we might have to advance the

  232.             // ratchet a limited number of times. See (even though the description there is odd)

  233.             // https://tools.ietf.org/html/draft-omara-sframe-00#section-4.3.5.1

  234.             let { authenticationKey, material } = this._cryptoKeyRing[keyIndex];

  235.             let valid = false;

  236.             let newKeys = null;

  237. 

  238.             for (let distance = 0; distance < ratchetWindow; distance++) {

  239.                 const calculatedTag = await crypto.subtle.sign(authenticationTagOptions,

  240.                     authenticationKey, encodedFrame.data);

  241. 

  242.                 if (isArrayEqual(new Uint8Array(authTag),

  243.                         new Uint8Array(calculatedTag.slice(0, digestLength[encodedFrame.type])))) {

  244.                     valid = true;

  245.                     if (distance > 0) {

  246.                         this._setKeys(newKeys);

  247.                     }

  248.                     break;

  249.                 }

  250. 

  251.                 // Attempt to ratchet and generate the next set of keys.

  252.                 material = await importKey(await ratchet(material));

  253.                 newKeys = await deriveKeys(material);

  254.                 authenticationKey = newKeys.authenticationKey;

  255.             }

  256. 

  257.             // Check whether we found a valid signature.

  258.             if (!valid) {

  259.                 // TODO: return an error to the app.

  260. 

  261.                 console.error('Authentication tag mismatch');

  262. 

  263.                 return;

  264.             }

  265. 

  266.             // Extract the counter.

  267.             const counter = new Uint8Array(16);

  268. 

  269.             counter.set(data.slice(encodedFrame.data.byteLength - (counterLength + 1),

  270.                 encodedFrame.data.byteLength - 1), 16 - counterLength);

  271.             const counterView = new DataView(counter.buffer);

  272. 

  273.             // XOR the counter with the saltKey to construct the AES CTR.

  274.             const saltKey = new DataView(this._cryptoKeyRing[keyIndex].saltKey);

  275. 

  276.             for (let i = 0; i < counter.byteLength; i++) {

  277.                 counterView.setUint8(i,

  278.                     counterView.getUint8(i) ^ saltKey.getUint8(i));

  279.             }

  280. 

  281.             return crypto.subtle.decrypt({

  282.                 name: 'AES-CTR',

  283.                 counter,

  284.                 length: 64

  285.             }, this._cryptoKeyRing[keyIndex].encryptionKey, new Uint8Array(encodedFrame.data,

  286.                     unencryptedBytes[encodedFrame.type],

  287.                     encodedFrame.data.byteLength - (unencryptedBytes[encodedFrame.type]

  288.                     + digestLength[encodedFrame.type] + counterLength + 1))

  289.             ).then(plainText => {

  290.                 const newData = new ArrayBuffer(unencryptedBytes[encodedFrame.type] + plainText.byteLength);

  291.                 const newUint8 = new Uint8Array(newData);

  292. 

  293.                 newUint8.set(frameHeader);

  294.                 newUint8.set(new Uint8Array(plainText), unencryptedBytes[encodedFrame.type]);

  295.                 encodedFrame.data = newData;

  296. 

  297.                 return controller.enqueue(encodedFrame);

  298.             }, e => {

  299.                 console.error(e);

  300. 

  301.                 // TODO: notify the application about error status.

  302.                 // TODO: For video we need a better strategy since we do not want to based any

  303.                 // non-error frames on a garbage keyframe.

  304.                 if (encodedFrame.type === undefined) { // audio, replace with silence.

  305.                     const newData = new ArrayBuffer(3);

  306.                     const newUint8 = new Uint8Array(newData);

  307. 

  308.                     newUint8.set([ 0xd8, 0xff, 0xfe ]); // opus silence frame.

  309.                     encodedFrame.data = newData;

  310.                     controller.enqueue(encodedFrame);

  311.                 }

  312.             });

  313.         } else if (keyIndex >= this._cryptoKeyRing.length && this._cryptoKeyRing[this._currentKeyIndex]) {

  314.             // If we are encrypting but don't have a key for the remote drop the frame.

  315.             // This is a heuristic since we don't know whether a packet is encrypted,

  316.             // do not have a checksum and do not have signaling for whether a remote participant does

  317.             // encrypt or not.

  318.             return;

  319.         }

  320. 

  321.         // TODO: this just passes through to the decoder. Is that ok? If we don't know the key yet

  322.         // we might want to buffer a bit but it is still unclear how to do that (and for how long etc).

  323.         controller.enqueue(encodedFrame);

  324.     }

  325. }