jfinn
/
ljm_j1
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2562 Commits
3 Branches
Tree: ed43a6953d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ed43a6953d'
${ noResults }
ljm_j1/modules/e2ee/Context.js

Context.js 14KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332 
  1. /* eslint-disable no-bitwise */

  2. /* global BigInt */

  3. 

  4. import { deriveKeys, importKey, ratchet } from './crypto-utils';

  5. import { isArrayEqual } from './utils';

  6. 

  7. // We use a ringbuffer of keys so we can change them and still decode packets that were

  8. // encrypted with an old key. We use a size of 16 which corresponds to the four bits

  9. // in the frame trailer.

  10. const KEYRING_SIZE = 16;

  11. 

  12. // We copy the first bytes of the VP8 payload unencrypted.

  13. // For keyframes this is 10 bytes, for non-keyframes (delta) 3. See

  14. //   https://tools.ietf.org/html/rfc6386#section-9.1

  15. // This allows the bridge to continue detecting keyframes (only one byte needed in the JVB)

  16. // and is also a bit easier for the VP8 decoder (i.e. it generates funny garbage pictures

  17. // instead of being unable to decode).

  18. // This is a bit for show and we might want to reduce to 1 unconditionally in the final version.

  19. //

  20. // For audio (where frame.type is not set) we do not encrypt the opus TOC byte:

  21. //   https://tools.ietf.org/html/rfc6716#section-3.1

  22. const UNENCRYPTED_BYTES = {

  23.     key: 10,

  24.     delta: 3,

  25.     undefined: 1 // frame.type is not set on audio

  26. };

  27. 

  28. // Use truncated SHA-256 hashes, 80 bіts for video, 32 bits for audio.

  29. // This follows the same principles as DTLS-SRTP.

  30. const AUTHENTICATIONTAG_OPTIONS = {

  31.     name: 'HMAC',

  32.     hash: 'SHA-256'

  33. };

  34. const ENCRYPTION_ALGORITHM = 'AES-CTR';

  35. 

  36. // https://developer.mozilla.org/en-US/docs/Web/API/AesCtrParams

  37. const CTR_LENGTH = 64;

  38. 

  39. const DIGEST_LENGTH = {

  40.     key: 10,

  41.     delta: 10,

  42.     undefined: 4 // frame.type is not set on audio

  43. };

  44. 

  45. // Maximum number of forward ratchets to attempt when the authentication

  46. // tag on a remote packet does not match the current key.

  47. const RATCHET_WINDOW_SIZE = 8;

  48. 

  49. /**

  50.  * Per-participant context holding the cryptographic keys and

  51.  * encode/decode functions

  52.  */

  53. export class Context {

  54.     /**

  55.      * @param {string} id - local muc resourcepart

  56.      */

  57.     constructor(id) {

  58.         // An array (ring) of keys that we use for sending and receiving.

  59.         this._cryptoKeyRing = new Array(KEYRING_SIZE);

  60. 

  61.         // A pointer to the currently used key.

  62.         this._currentKeyIndex = -1;

  63. 

  64.         // A per-sender counter that is used create the AES CTR.

  65.         // Must be incremented on every frame that is sent, can be reset on

  66.         // key changes.

  67.         this._sendCount = BigInt(0); // eslint-disable-line new-cap

  68. 

  69.         this._id = id;

  70.     }

  71. 

  72.     /**

  73.      * Derives the different subkeys and starts using them for encryption or

  74.      * decryption.

  75.      * @param {Uint8Array|false} key bytes. Pass false to disable.

  76.      * @param {Number} keyIndex

  77.      */

  78.     async setKey(keyBytes, keyIndex) {

  79.         let newKey;

  80. 

  81.         if (keyBytes) {

  82.             const material = await importKey(keyBytes);

  83. 

  84.             newKey = await deriveKeys(material);

  85.         } else {

  86.             newKey = false;

  87.         }

  88.         this._currentKeyIndex = keyIndex % this._cryptoKeyRing.length;

  89.         this._setKeys(newKey);

  90.     }

  91. 

  92.     /**

  93.      * Sets a set of keys and resets the sendCount.

  94.      * decryption.

  95.      * @param {Object} keys set of keys.

  96.      * @param {Number} keyIndex optional

  97.      * @private

  98.      */

  99.     _setKeys(keys, keyIndex = -1) {

  100.         if (keyIndex >= 0) {

  101.             this._cryptoKeyRing[keyIndex] = keys;

  102.         } else {

  103.             this._cryptoKeyRing[this._currentKeyIndex] = keys;

  104.         }

  105.         this._sendCount = BigInt(0); // eslint-disable-line new-cap

  106.     }

  107. 

  108.     /**

  109.      * Function that will be injected in a stream and will encrypt the given encoded frames.

  110.      *

  111.      * @param {RTCEncodedVideoFrame|RTCEncodedAudioFrame} encodedFrame - Encoded video frame.

  112.      * @param {TransformStreamDefaultController} controller - TransportStreamController.

  113.      *

  114.      * The packet format is a variant of

  115.      *   https://tools.ietf.org/html/draft-omara-sframe-00

  116.      * using a trailer instead of a header. One of the design goals was to not require

  117.      * changes to the SFU which for video requires not encrypting the keyframe bit of VP8

  118.      * as SFUs need to detect a keyframe (framemarking or the generic frame descriptor will

  119.      * solve this eventually). This also "hides" that a client is using E2EE a bit.

  120.      *

  121.      * Note that this operates on the full frame, i.e. for VP8 the data described in

  122.      *   https://tools.ietf.org/html/rfc6386#section-9.1

  123.      *

  124.      * The VP8 payload descriptor described in

  125.      *   https://tools.ietf.org/html/rfc7741#section-4.2

  126.      * is part of the RTP packet and not part of the encoded frame and is therefore not

  127.      * controllable by us. This is fine as the SFU keeps having access to it for routing.

  128.      */

  129.     encodeFunction(encodedFrame, controller) {

  130.         const keyIndex = this._currentKeyIndex;

  131. 

  132.         if (this._cryptoKeyRing[keyIndex]) {

  133.             this._sendCount++;

  134. 

  135.             // Thіs is not encrypted and contains the VP8 payload descriptor or the Opus TOC byte.

  136.             const frameHeader = new Uint8Array(encodedFrame.data, 0, UNENCRYPTED_BYTES[encodedFrame.type]);

  137. 

  138.             // Construct frame trailer. Similar to the frame header described in

  139.             // https://tools.ietf.org/html/draft-omara-sframe-00#section-4.2

  140.             // but we put it at the end.

  141.             //                                             0 1 2 3 4 5 6 7

  142.             // ---------+---------------------------------+-+-+-+-+-+-+-+-+

  143.             // payload  |    CTR... (length=LEN)          |S|LEN  |KID    |

  144.             // ---------+---------------------------------+-+-+-+-+-+-+-+-+

  145.             const counter = new Uint8Array(16);

  146.             const counterView = new DataView(counter.buffer);

  147. 

  148.             // The counter is encoded as a variable-length field.

  149.             counterView.setBigUint64(8, this._sendCount);

  150.             let counterLength = 8;

  151. 

  152.             for (let i = 8; i < counter.byteLength; i++ && counterLength--) {

  153.                 if (counterView.getUint8(i) !== 0) {

  154.                     break;

  155.                 }

  156.             }

  157. 

  158.             const frameTrailer = new Uint8Array(counterLength + 1);

  159. 

  160.             frameTrailer.set(new Uint8Array(counter.buffer, counter.byteLength - counterLength));

  161. 

  162.             // Since we never send a counter of 0 we send counterLength - 1 on the wire.

  163.             // This is different from the sframe draft, increases the key space and lets us

  164.             // ignore the case of a zero-length counter at the receiver.

  165.             frameTrailer[frameTrailer.byteLength - 1] = keyIndex | ((counterLength - 1) << 4);

  166. 

  167.             // XOR the counter with the saltKey to construct the AES CTR.

  168.             const saltKey = new DataView(this._cryptoKeyRing[keyIndex].saltKey);

  169. 

  170.             for (let i = 0; i < counter.byteLength; i++) {

  171.                 counterView.setUint8(i, counterView.getUint8(i) ^ saltKey.getUint8(i));

  172.             }

  173. 

  174.             return crypto.subtle.encrypt({

  175.                 name: ENCRYPTION_ALGORITHM,

  176.                 counter,

  177.                 length: CTR_LENGTH

  178.             }, this._cryptoKeyRing[keyIndex].encryptionKey, new Uint8Array(encodedFrame.data,

  179.                 UNENCRYPTED_BYTES[encodedFrame.type]))

  180.             .then(cipherText => {

  181.                 const newData = new ArrayBuffer(frameHeader.byteLength + cipherText.byteLength

  182.                     + DIGEST_LENGTH[encodedFrame.type] + frameTrailer.byteLength);

  183.                 const newUint8 = new Uint8Array(newData);

  184. 

  185.                 newUint8.set(frameHeader); // copy first bytes.

  186.                 newUint8.set(new Uint8Array(cipherText), UNENCRYPTED_BYTES[encodedFrame.type]); // add ciphertext.

  187.                 // Leave some space for the authentication tag. This is filled with 0s initially, similar to

  188.                 // STUN message-integrity described in https://tools.ietf.org/html/rfc5389#section-15.4

  189.                 newUint8.set(frameTrailer, frameHeader.byteLength + cipherText.byteLength

  190.                     + DIGEST_LENGTH[encodedFrame.type]); // append trailer.

  191. 

  192.                 return crypto.subtle.sign(AUTHENTICATIONTAG_OPTIONS, this._cryptoKeyRing[keyIndex].authenticationKey,

  193.                     new Uint8Array(newData)).then(async authTag => {

  194.                     const truncatedAuthTag = new Uint8Array(authTag, 0, DIGEST_LENGTH[encodedFrame.type]);

  195. 

  196. 

  197.                     // Set the truncated authentication tag.

  198.                     newUint8.set(truncatedAuthTag, UNENCRYPTED_BYTES[encodedFrame.type] + cipherText.byteLength);

  199. 

  200.                     encodedFrame.data = newData;

  201. 

  202.                     return controller.enqueue(encodedFrame);

  203.                 });

  204.             }, e => {

  205.                 // TODO: surface this to the app.

  206.                 console.error(e);

  207. 

  208.                 // We are not enqueuing the frame here on purpose.

  209.             });

  210.         }

  211. 

  212.         /* NOTE WELL:

  213.          * This will send unencrypted data (only protected by DTLS transport encryption) when no key is configured.

  214.          * This is ok for demo purposes but should not be done once this becomes more relied upon.

  215.          */

  216.         controller.enqueue(encodedFrame);

  217.     }

  218. 

  219.     /**

  220.      * Function that will be injected in a stream and will decrypt the given encoded frames.

  221.      *

  222.      * @param {RTCEncodedVideoFrame|RTCEncodedAudioFrame} encodedFrame - Encoded video frame.

  223.      * @param {TransformStreamDefaultController} controller - TransportStreamController.

  224.      */

  225.     async decodeFunction(encodedFrame, controller) {

  226.         const data = new Uint8Array(encodedFrame.data);

  227.         const keyIndex = data[encodedFrame.data.byteLength - 1] & 0xf; // lower four bits.

  228. 

  229.         if (this._cryptoKeyRing[this._currentKeyIndex] && this._cryptoKeyRing[keyIndex]) {

  230.             const counterLength = 1 + ((data[encodedFrame.data.byteLength - 1] >> 4) & 0x7);

  231.             const frameHeader = new Uint8Array(encodedFrame.data, 0, UNENCRYPTED_BYTES[encodedFrame.type]);

  232. 

  233.             // Extract the truncated authentication tag.

  234.             const authTagOffset = encodedFrame.data.byteLength - (DIGEST_LENGTH[encodedFrame.type]

  235.                 + counterLength + 1);

  236.             const authTag = encodedFrame.data.slice(authTagOffset, authTagOffset

  237.                 + DIGEST_LENGTH[encodedFrame.type]);

  238. 

  239.             // Set authentication tag bytes to 0.

  240.             data.set(new Uint8Array(DIGEST_LENGTH[encodedFrame.type]), encodedFrame.data.byteLength

  241.                 - (DIGEST_LENGTH[encodedFrame.type] + counterLength + 1));

  242. 

  243.             // Do truncated hash comparison of the authentication tag.

  244.             // If the hash does not match we might have to advance the ratchet a limited number

  245.             // of times. See (even though the description there is odd)

  246.             // https://tools.ietf.org/html/draft-omara-sframe-00#section-4.3.5.1

  247.             let { authenticationKey, material } = this._cryptoKeyRing[keyIndex];

  248.             let validAuthTag = false;

  249.             let newKeys = null;

  250. 

  251.             for (let distance = 0; distance < RATCHET_WINDOW_SIZE; distance++) {

  252.                 const calculatedTag = await crypto.subtle.sign(AUTHENTICATIONTAG_OPTIONS,

  253.                     authenticationKey, encodedFrame.data);

  254. 

  255.                 if (isArrayEqual(new Uint8Array(authTag),

  256.                         new Uint8Array(calculatedTag.slice(0, DIGEST_LENGTH[encodedFrame.type])))) {

  257.                     validAuthTag = true;

  258.                     if (distance > 0) {

  259.                         this._setKeys(newKeys, keyIndex);

  260.                     }

  261.                     break;

  262.                 }

  263. 

  264.                 // Attempt to ratchet and generate the next set of keys.

  265.                 material = await importKey(await ratchet(material));

  266.                 newKeys = await deriveKeys(material);

  267.                 authenticationKey = newKeys.authenticationKey;

  268.             }

  269. 

  270.             // Check whether we found a valid authentication tag.

  271.             if (!validAuthTag) {

  272.                 // TODO: return an error to the app.

  273. 

  274.                 console.error('Authentication tag mismatch');

  275. 

  276.                 return;

  277.             }

  278. 

  279.             // Extract the counter.

  280.             const counter = new Uint8Array(16);

  281. 

  282.             counter.set(data.slice(encodedFrame.data.byteLength - (counterLength + 1),

  283.                 encodedFrame.data.byteLength - 1), 16 - counterLength);

  284.             const counterView = new DataView(counter.buffer);

  285. 

  286.             // XOR the counter with the saltKey to construct the AES CTR.

  287.             const saltKey = new DataView(this._cryptoKeyRing[keyIndex].saltKey);

  288. 

  289.             for (let i = 0; i < counter.byteLength; i++) {

  290.                 counterView.setUint8(i,

  291.                     counterView.getUint8(i) ^ saltKey.getUint8(i));

  292.             }

  293. 

  294.             return crypto.subtle.decrypt({

  295.                 name: ENCRYPTION_ALGORITHM,

  296.                 counter,

  297.                 length: CTR_LENGTH

  298.             }, this._cryptoKeyRing[keyIndex].encryptionKey, new Uint8Array(encodedFrame.data,

  299.                     UNENCRYPTED_BYTES[encodedFrame.type],

  300.                     encodedFrame.data.byteLength - (UNENCRYPTED_BYTES[encodedFrame.type]

  301.                     + DIGEST_LENGTH[encodedFrame.type] + counterLength + 1))

  302.             ).then(plainText => {

  303.                 const newData = new ArrayBuffer(UNENCRYPTED_BYTES[encodedFrame.type] + plainText.byteLength);

  304.                 const newUint8 = new Uint8Array(newData);

  305. 

  306.                 newUint8.set(frameHeader);

  307.                 newUint8.set(new Uint8Array(plainText), UNENCRYPTED_BYTES[encodedFrame.type]);

  308.                 encodedFrame.data = newData;

  309. 

  310.                 return controller.enqueue(encodedFrame);

  311.             }, e => {

  312.                 console.error(e);

  313. 

  314.                 // TODO: notify the application about error status.

  315.                 // TODO: For video we need a better strategy since we do not want to based any

  316.                 // non-error frames on a garbage keyframe.

  317.                 if (encodedFrame.type === undefined) { // audio, replace with silence.

  318.                     const newData = new ArrayBuffer(3);

  319.                     const newUint8 = new Uint8Array(newData);

  320. 

  321.                     newUint8.set([ 0xd8, 0xff, 0xfe ]); // opus silence frame.

  322.                     encodedFrame.data = newData;

  323.                     controller.enqueue(encodedFrame);

  324.                 }

  325.             });

  326.         }

  327. 

  328.         // TODO: this just passes through to the decoder. Is that ok? If we don't know the key yet

  329.         // we might want to buffer a bit but it is still unclear how to do that (and for how long etc).

  330.         controller.enqueue(encodedFrame);

  331.     }

  332. }