End to end encryption (#107)

* save

* Adding a PacketWrapper protobuf type and key protobuf types

* Rebase with new connection model

* Add cargo workspace

* cargo fmt

* cargo fmt

* Save close but no cigar

* e2ee working poc - but it is laggy

* allow non_camel_case_types

* Encrypt heartbeats, clippy fix, it's smoother now

* clippy fix

* cargo fmt

* Adding sequence diagram

* If key doesn't exist send new pub key message

* Rename proto var

* Handle peers refreshing keys

* fmt

* Add feature flag for e2ee

* Add missing env var

* Same block

* cargo clippy --fix

* Removing unwraps

* Refactor log statements with levels

* Logging level

* cargo fmt

.github/workflows/cargo-test.yaml

@@ -19,6 +19,7 @@ env:
   WEBTRANSPORT_HOST: yeet
   ENABLE_OAUTH: false
   WEBTRANSPORT_ENABLED: true
+  E2EE_ENABLED: true
 
 jobs:
 
@@ -32,7 +33,7 @@ jobs:
           components: clippy, rustfmt
       - run: cd actix-api && cargo clippy -- --deny warnings
       - run: cd actix-api && cargo fmt --check
-      - run: cd actix-api && cargo test 
+      - run: cd actix-api && cargo test
 
 
   lint-ui:

actix-api/src/actors/chat_server.rs

@@ -94,7 +94,7 @@ impl Handler<ClientMessage> for ChatServer {
             user: _,
         } = msg;
         trace!("got message in server room {} session {}", room, session);
-        self.send_message(&room, &msg.media_packet, session);
+        self.send_message(&room, &msg.data, session);
     }
 }
 

actix-api/src/actors/chat_session.rs

@@ -1,4 +1,4 @@
-use crate::messages::server::{ClientMessage, MediaPacketUpdate};
+use crate::messages::server::{ClientMessage, Packet};
 use crate::messages::session::Message;
 use crate::{actors::chat_server::ChatServer, constants::CLIENT_TIMEOUT};
 use std::sync::Arc;
@@ -102,10 +102,10 @@ impl Handler<Message> for WsChatSession {
     }
 }
 
-impl Handler<MediaPacketUpdate> for WsChatSession {
+impl Handler<Packet> for WsChatSession {
     type Result = ();
 
-    fn handle(&mut self, msg: MediaPacketUpdate, _ctx: &mut Self::Context) -> Self::Result {
+    fn handle(&mut self, msg: Packet, _ctx: &mut Self::Context) -> Self::Result {
         let room_id = self.room.clone();
         trace!(
             "got message and sending to chat session {} email {} room {}",
@@ -136,8 +136,8 @@ impl StreamHandler<Result<ws::Message, ws::ProtocolError>> for WsChatSession {
 
         match msg {
             ws::Message::Binary(msg) => {
-                ctx.notify(MediaPacketUpdate {
-                    media_packet: Arc::new(msg.to_vec()),
+                ctx.notify(Packet {
+                    data: Arc::new(msg.to_vec()),
                 });
             }
             ws::Message::Ping(msg) => {

actix-api/src/messages/server/mod.rs

@@ -11,7 +11,7 @@ pub struct ClientMessage {
     pub session: SessionId,
     pub user: String,
     pub room: RoomId,
-    pub msg: MediaPacketUpdate,
+    pub msg: Packet,
 }
 
 #[derive(ActixMessage)]
@@ -30,8 +30,8 @@ pub struct Connect {
 
 #[derive(ActixMessage)]
 #[rtype(result = "()")]
-pub struct MediaPacketUpdate {
-    pub media_packet: Arc<Vec<u8>>,
+pub struct Packet {
+    pub data: Arc<Vec<u8>>,
 }
 
 #[derive(ActixMessage)]

bot/src/main.rs

@@ -22,7 +22,6 @@ async fn main() {
     let email_prefix = env::var("EMAIL_PREFIX").unwrap_or_else(|_| "".to_string());
 
     (0..n_clients)
-        .into_iter()
         .map(|_| async {
             let handle = create_client(&endpoint, &room, &echo_user, &email_prefix).await;
             let _ = handle.await;

docker/docker-compose.yaml

@@ -22,6 +22,7 @@ services:
       - RUSTFLAGS=--cfg=web_sys_unstable_apis
       - RUST_BACKTRACE=1
       - WEBTRANSPORT_ENABLED=${WEBTRANSPORT_ENABLED:-false}
+      - E2EE_ENABLED=${E2EE_ENABLED:-false}
     ports:
       - "${TRUNK_SERVE_PORT:-80}:${TRUNK_SERVE_PORT:-80}"
 

protobuf/build-env-rust.Dockerfile

@@ -1,4 +1,4 @@
-FROM rust:1.62-slim
+FROM rust:1.71-slim
 ENV DEBIAN_FRONTEND=noninteractive
 ARG USER
 ARG UID

protobuf/types/aes_packet.proto

@@ -0,0 +1,6 @@
+syntax = "proto3";
+
+message AesPacket {
+  bytes key = 1;
+  bytes iv = 2;
+}

protobuf/types/packet_wrapper.proto

@@ -0,0 +1,12 @@
+syntax = "proto3";
+
+message PacketWrapper {
+  enum PacketType {
+    RSA_PUB_KEY = 0;
+    AES_KEY = 1;
+    MEDIA = 2;
+  }
+  PacketType packet_type = 1;
+  string email = 2;
+  bytes data = 3;
+}

protobuf/types/rsa_packet.proto

@@ -0,0 +1,6 @@
+syntax = "proto3";
+
+message RsaPacket {
+  bytes public_key_der = 1;
+  string username = 2;
+}

sequence-diagram.txt

@@ -0,0 +1,55 @@
+title videocall-rs e2ee sequence diagram
+
+participant Alice
+participant Bob
+participant Server
+participant Casey
+
+
+Alice->Server:Alice joins room 1
+Alice->Server:Alice starts sending encrypted heartbeats
+Alice->Server:Alice sends RSA pub key message
+
+Bob->Server:Bob joins room 1
+Bob->Server:Bob starts sending encrypted heartbeats
+Bob->Server:Bob sends RSA pub key message
+
+Server->Alice:Server sends Bob's RSA pub key message to Alice
+Alice-->Server:Responding to Bob's RSA pub key msg, Alice encrypts their AES key with Bob's RSA pub key and sends it to the server
+Server-->Bob:Bob receives the AES msg from Alice and decrypts it with Bob's RSA private key
+
+Alice->Server:Alice notices that Bob is a new peer and sends the RSA pub key message again
+Server->Bob:Server sends Alice's RSA pub key message to Bob
+Bob-->Server:Responding to Alices's RSA pub key msg, Bob encrypts their AES key with Alice's RSA pub key and sends it to the server
+Server-->Alice:Alice receives the AES msg from Bob and decrypts it with Alice's RSA private key
+
+Casey->Server:Casey joins room 1
+Casey->Server:Casey starts sending encrypted heartbeats
+Casey->Server:Casey sends RSA pub key message
+
+Server->Alice:Server sends Casey's RSA pub key message to Alice
+Alice-->Server:Responding to Casey's RSA pub key msg, Alice encrypts their AES key with Casey's RSA pub key and sends it to the server
+Server-->Casey:Casey receives the AES msg from Alice and decrypts it with Casey's RSA private key
+
+Server->Bob:Server sends Casey's RSA pub key message to Bob
+Bob-->Server:Responding to Casey's RSA pub key msg, Bob encrypts their AES key with Casey's RSA pub key and sends it to the server
+Server-->Casey:Casey receives the AES msg from Bob and decrypts it with Casey's RSA private key
+
+Alice->Server:Alice notices that Casey is a new peer and sends the RSA pub key message again
+Server->Casey:Server sends Alice's RSA pub key message to Casey
+Casey-->Server:Responding to Alices's RSA pub key msg, Casey encrypts their AES key with Alice's RSA pub key and sends it to the server
+Server-->Alice:Alice receives the AES msg from Casey and decrypts it with Alice's RSA private key
+
+Server->Bob:Server sends Alice's RSA pub key message to Bob
+Bob-->Server:Responding to Alices's RSA pub key msg, Bob encrypts their AES key with Alice's RSA pub key and sends it to the server
+Server-->Alice:Alice receives the AES msg from Bob and decrypts it with Alice's RSA private key
+
+Bob->Server:Bob notices that Casey is a new peer and sends the RSA pub key message again
+Server->Casey:Server sends Bob's RSA pub key message to Casey
+Casey-->Server:Responding to Bob's RSA pub key msg, Casey encrypts their AES key with Bob's RSA pub key and sends it to the server
+Server-->Bob:Bob receives the AES msg from Casey and decrypts it with Bob's RSA private key
+
+Server->Alice:Server sends Bob's RSA pub key message to Alice
+Alice-->Server:Responding to Bob's RSA pub key msg, Alice encrypts their AES key with Bob's RSA pub key and sends it to the server
+Server-->Bob:Bob receives the AES msg from Alice and decrypts it with Bob's RSA private key
+

types/Cargo.toml

@@ -8,4 +8,5 @@ edition = "2021"
 [dependencies]
 serde_json = "1.0.81"
 serde = { version = "1.0.37", features = ["derive"]}
-protobuf = "3.2.0"
+protobuf = "3.2.0"
+yew-websocket = "1.0.1"