livekit · lukasIO · Feb 21, 2024 · Feb 21, 2024 · Feb 21, 2024
diff --git a/.changeset/bright-islands-collect.md b/.changeset/bright-islands-collect.md
@@ -0,0 +1,4 @@
+---
+"livekit-client": patch
+---
+Fix transceiver reuse for e2ee and add more verbose e2ee debug logging
diff --git a/src/e2ee/KeyProvider.ts b/src/e2ee/KeyProvider.ts
@@ -12,7 +12,7 @@ import { createKeyMaterialFromBuffer, createKeyMaterialFromString } from './util
 export class BaseKeyProvider extends (EventEmitter as new () => TypedEventEmitter<KeyProviderCallbacks>) {
   private keyInfoMap: Map<string, KeyInfo>;
 
-  private options: KeyProviderOptions;
+  private readonly options: KeyProviderOptions;
 
   constructor(options: Partial<KeyProviderOptions> = {}) {
     super();
@@ -29,6 +29,11 @@ export class BaseKeyProvider extends (EventEmitter as new () => TypedEventEmitte
    */
   protected onSetEncryptionKey(key: CryptoKey, participantIdentity?: string, keyIndex?: number) {
     const keyInfo: KeyInfo = { key, participantIdentity, keyIndex };
+    if (!this.options.sharedKey && !participantIdentity) {
+      throw new Error(
+        'participant identity needs to be passed for encryption key if sharedKey option is false',
+      );
+    }
     this.keyInfoMap.set(`${participantIdentity ?? 'shared'}-${keyIndex ?? 0}`, keyInfo);
     this.emit(KeyProviderEvent.SetKey, keyInfo);
   }

diff --git a/src/e2ee/worker/FrameCryptor.ts b/src/e2ee/worker/FrameCryptor.ts
@@ -83,6 +83,14 @@ export class FrameCryptor extends BaseFrameCryptor {
     this.sifGuard = new SifGuard();
   }
 
+  private get logContext() {
+    return {
+      identity: this.participantIdentity,
+      trackId: this.trackId,
+      fallbackCodec: this.videoCodec,
+    };
+  }
+
   /**
    * Assign a different participant to the cryptor.
    * useful for transceiver re-use
@@ -96,6 +104,7 @@ export class FrameCryptor extends BaseFrameCryptor {
   }
 
   unsetParticipant() {
+    workerLogger.debug('unsetting participant', this.logContext);
     this.participantIdentity = undefined;
   }
 
@@ -143,6 +152,13 @@ export class FrameCryptor extends BaseFrameCryptor {
       this.videoCodec = codec;
     }
 
+    workerLogger.debug('Setting up frame cryptor transform', {
+      operation,
+      passedTrackId: trackId,
+      codec,
+      ...this.logContext,
+    });
+
     const transformFn = operation === 'encode' ? this.encodeFunction : this.decodeFunction;
     const transformStream = new TransformStream({
       transform: transformFn.bind(this),
@@ -159,6 +175,7 @@ export class FrameCryptor extends BaseFrameCryptor {
   }
 
   setSifTrailer(trailer: Uint8Array) {
+    workerLogger.debug('setting SIF trailer', { ...this.logContext, trailer });
     this.sifTrailer = trailer;
   }
 
@@ -212,6 +229,8 @@ export class FrameCryptor extends BaseFrameCryptor {
         encodedFrame.timestamp,
       );
       let frameInfo = this.getUnencryptedBytes(encodedFrame);
+      workerLogger.debug('frameInfo for encoded frame', { ...frameInfo, ...this.logContext });
+
       // Thіs is not encrypted and contains the VP8 payload descriptor or the Opus TOC byte.
       const frameHeader = new Uint8Array(encodedFrame.data, 0, frameInfo.unencryptedBytes);
 
@@ -262,6 +281,7 @@ export class FrameCryptor extends BaseFrameCryptor {
         workerLogger.error(e);
       }
     } else {
+      workerLogger.debug('failed to decrypt, emitting error', this.logContext);
       this.emit(
         CryptorEvent.Error,
         new CryptorError(`encryption key missing for encoding`, CryptorErrorReason.MissingKey),
@@ -284,11 +304,13 @@ export class FrameCryptor extends BaseFrameCryptor {
       // skip for decryption for empty dtx frames
       encodedFrame.data.byteLength === 0
     ) {
+      workerLogger.debug('skipping empty frame', this.logContext);
       this.sifGuard.recordUserFrame();
       return controller.enqueue(encodedFrame);
     }
 
     if (isFrameServerInjected(encodedFrame.data, this.sifTrailer)) {
+      workerLogger.debug('enqueue SIF', this.logContext);
       this.sifGuard.recordSif();
 
       if (this.sifGuard.isSifAllowed()) {
@@ -312,6 +334,7 @@ export class FrameCryptor extends BaseFrameCryptor {
         const decodedFrame = await this.decryptFrame(encodedFrame, keyIndex);
         this.keys.decryptionSuccess();
         if (decodedFrame) {
+          workerLogger.debug('enqueue decrypted frame', this.logContext);
           return controller.enqueue(decodedFrame);
         }
       } catch (error) {
@@ -352,6 +375,8 @@ export class FrameCryptor extends BaseFrameCryptor {
       throw new TypeError(`no encryption key found for decryption of ${this.participantIdentity}`);
     }
     let frameInfo = this.getUnencryptedBytes(encodedFrame);
+    workerLogger.debug('frameInfo for decoded frame', { ...frameInfo, ...this.logContext });
+
     // Construct frame trailer. Similar to the frame header described in
     // https://tools.ietf.org/html/draft-omara-sframe-00#section-4.2
     // but we put it at the end.
@@ -566,6 +591,7 @@ export class FrameCryptor extends BaseFrameCryptor {
     // @ts-expect-error payloadType is not yet part of the typescript definition and currently not supported in Safari
     const payloadType = frame.getMetadata().payloadType;
     const codec = payloadType ? this.rtpMap.get(payloadType) : undefined;
+    workerLogger.debug('reading codec from frame', { codec, ...this.logContext });
     return codec;
   }
 }

diff --git a/src/e2ee/worker/ParticipantKeyHandler.ts b/src/e2ee/worker/ParticipantKeyHandler.ts
@@ -133,15 +133,19 @@ export class ParticipantKeyHandler extends (EventEmitter as new () => TypedEvent
 
   /**
    * takes in a key material with `deriveBits` and `deriveKey` set as key usages
-   * and derives encryption keys from the material and sets it on the key ring buffer
+   * and derives encryption keys from the material and sets it on the key ring buffers
    * together with the material
    * also updates the currentKeyIndex
    */
-  async setKeyFromMaterial(material: CryptoKey, keyIndex = 0, emitRatchetEvent = false) {
-    const newIndex = keyIndex >= 0 ? keyIndex % this.cryptoKeyRing.length : -1;
-    workerLogger.debug(`setting new key with index ${newIndex}`);
+  async setKeyFromMaterial(material: CryptoKey, keyIndex: number, emitRatchetEvent = false) {
     const keySet = await deriveKeys(material, this.keyProviderOptions.ratchetSalt);
-    this.setKeySet(keySet, newIndex >= 0 ? newIndex : this.currentKeyIndex, emitRatchetEvent);
+    const newIndex = keyIndex >= 0 ? keyIndex % this.cryptoKeyRing.length : this.currentKeyIndex;
+    workerLogger.debug(`setting new key with index ${keyIndex}`, {
+      usage: material.usages,
+      algorithm: material.algorithm,
+      ratchetSalt: this.keyProviderOptions.ratchetSalt,
+    });
+    this.setKeySet(keySet, newIndex, emitRatchetEvent);
     if (newIndex >= 0) this.currentKeyIndex = newIndex;
   }
 

diff --git a/src/e2ee/worker/e2ee.worker.ts b/src/e2ee/worker/e2ee.worker.ts
@@ -21,8 +21,6 @@ let isEncryptionEnabled: boolean = false;
 
 let useSharedKey: boolean = false;
 
-let sharedKey: CryptoKey | undefined;
-
 let sifTrailer: Uint8Array | undefined;
 
 let keyProviderOptions: KeyProviderOptions = KEY_PROVIDER_DEFAULTS;
@@ -72,10 +70,9 @@ onmessage = (ev) => {
       break;
     case 'setKey':
       if (useSharedKey) {
-        workerLogger.warn('set shared key');
         setSharedKey(data.key, data.keyIndex);
       } else if (data.participantIdentity) {
-        workerLogger.warn(
+        workerLogger.info(
           `set participant sender key ${data.participantIdentity} index ${data.keyIndex}`,
         );
         getParticipantKeyHandler(data.participantIdentity).setKey(data.key, data.keyIndex);
@@ -125,9 +122,7 @@ async function handleRatchetRequest(data: RatchetRequestMessage['data']) {
 }
 
 function getTrackCryptor(participantIdentity: string, trackId: string) {
-  let cryptor = participantCryptors.find(
-    (c) => c.getParticipantIdentity() === participantIdentity && c.getTrackId() === trackId,
-  );
+  let cryptor = participantCryptors.find((c) => c.getTrackId() === trackId);
   if (!cryptor) {
     workerLogger.info('creating new cryptor for', { participantIdentity });
     if (!keyProviderOptions) {
@@ -146,8 +141,7 @@ function getTrackCryptor(participantIdentity: string, trackId: string) {
     // assign new participant id to track cryptor and pass in correct key handler
     cryptor.setParticipant(participantIdentity, getParticipantKeyHandler(participantIdentity));
   }
-  if (sharedKey) {
-  }
+
   return cryptor;
 }
 
@@ -158,9 +152,6 @@ function getParticipantKeyHandler(participantIdentity: string) {
   let keys = participantKeys.get(participantIdentity);
   if (!keys) {
     keys = new ParticipantKeyHandler(participantIdentity, keyProviderOptions);
-    if (sharedKey) {
-      keys.setKey(sharedKey);
-    }
     keys.on(KeyHandlerEvent.KeyRatcheted, emitRatchetedKeys);
     participantKeys.set(participantIdentity, keys);
   }
@@ -169,24 +160,32 @@ function getParticipantKeyHandler(participantIdentity: string) {
 
 function getSharedKeyHandler() {
   if (!sharedKeyHandler) {
+    workerLogger.debug('creating new shared key handler');
     sharedKeyHandler = new ParticipantKeyHandler('shared-key', keyProviderOptions);
   }
   return sharedKeyHandler;
 }
 
 function unsetCryptorParticipant(trackId: string, participantIdentity: string) {
-  participantCryptors
-    .find((c) => c.getParticipantIdentity() === participantIdentity && c.getTrackId() === trackId)
-    ?.unsetParticipant();
+  const cryptor = participantCryptors.find(
+    (c) => c.getParticipantIdentity() === participantIdentity && c.getTrackId() === trackId,
+  );
+  if (!cryptor) {
+    workerLogger.warn('Could not unset participant on cryptor', { trackId, participantIdentity });
+  } else {
+    cryptor.unsetParticipant();
+  }
 }
 
 function setEncryptionEnabled(enable: boolean, participantIdentity: string) {
+  workerLogger.debug(`setting encryption enabled for all tracks of ${participantIdentity}`, {
+    enable,
+  });
   encryptionEnabledMap.set(participantIdentity, enable);
 }
 
 function setSharedKey(key: CryptoKey, index?: number) {
-  workerLogger.debug('setting shared key');
-  sharedKey = key;
+  workerLogger.info('set shared key', { index });
   getSharedKeyHandler().setKey(key, index);
 }
 

diff --git a/src/room/Room.ts b/src/room/Room.ts
@@ -574,16 +574,23 @@ class Room extends (EventEmitter as new () => TypedEmitter<RoomEventCallbacks>)
     this.localParticipant.sid = pi.sid;
     this.localParticipant.identity = pi.identity;
 
+    if (this.options.e2ee && this.e2eeManager) {
+      try {
+        this.e2eeManager.setSifTrailer(joinResponse.sifTrailer);
+      } catch (e: any) {
+        this.log.error(e instanceof Error ? e.message : 'Could not set SifTrailer', {
+          ...this.logContext,
+          error: e,
+        });
+      }
+    }
+
     // populate remote participants, these should not trigger new events
     this.handleParticipantUpdates([pi, ...joinResponse.otherParticipants]);
 
     if (joinResponse.room) {
       this.handleRoomUpdate(joinResponse.room);
     }
-
-    if (this.options.e2ee && this.e2eeManager) {
-      this.e2eeManager.setSifTrailer(joinResponse.sifTrailer);
-    }
   };
 
   private attemptConnection = async (