Skip to content

feature(e2ee): add data channel encryption #708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lukasIO merged 57 commits into from
Oct 8, 2025
Merged

feature(e2ee): add data channel encryption #708

lukasIO merged 57 commits into from
Oct 8, 2025

Conversation

@lukasIO
Copy link
Contributor

@lukasIO lukasIO commented Sep 18, 2025
edited
Loading

this PR adds data channel encryption capabilities.
For backwards compatibility this is not enabled on existing implementations.
Instead RoomOptions.e2ee is being deprecated (no dc encryption) and a new RoomOptions.encryption field is introduced which enables data channel encryption

cloudwebrtc and others added 30 commits August 28, 2025 10:21
@cloudwebrtc
chore: Upgrade libwebrtc to m137.
8fbd62f
@cloudwebrtc
fix compile issue for linux.
ffd5ba9
@cloudwebrtc
fix.
1815e23
@cloudwebrtc
Add g++ for aarch64 to Ubuntu dependencies
ed6063d
@cloudwebrtc
fix build for linux arm64.
687edc5
@cloudwebrtc
Remove goma usage and switch to autoninja
f12118e
@cloudwebrtc
fix android build.
d6c8d68
@cloudwebrtc
fix build on linux arm64 for gcc.
770f172
@cloudwebrtc
Update Windows OS version in workflow configuration
996a202
@cloudwebrtc
Add GCC 14 installation steps for Ubuntu
2b90351
@cloudwebrtc
Update webrtc-builds.yml
79872ad
@cloudwebrtc
Change Windows OS to latest and add SDK installation
b698d1a
@cloudwebrtc
Update webrtc-builds.yml
03921f3
@cloudwebrtc
Update webrtc-builds.yml
3d304de
@cloudwebrtc
Update webrtc-builds.yml
016bdef
@cloudwebrtc
Update webrtc-builds.yml
5edf00e
@cloudwebrtc
Update build_linux.sh
48f6587
@cloudwebrtc
Update webrtc-builds.yml
10848d6
@cloudwebrtc
Update webrtc-builds.yml
756d71a
@cloudwebrtc
Update build_windows.cmd
2e92f57
@cloudwebrtc
cargo fmt.
41531ed
@lukasIO
Merge branch 'main' into lukas/dc-e2ee
8ee57fa
@cloudwebrtc
Update build_windows.cmd
c7695c4
@lukasIO
Merge branch 'duan/upgrade-libwebrtc-to-m137' into lukas/dc-e2ee
2f17c07
@lukasIO
Add new encryption room options field and forward to e2ee_manager
9069b80
@lukasIO
libwebrtc ffi
d29e7f8
@lukasIO
Merge branch 'main' into lukas/dc-e2ee
4249366
@lukasIO
fix ffi
ee519e4
@lukasIO
add data packet cryptor to webrtc crate
3c00272
@lukasIO
add data frame cryptor handling on rtc session
bf20551
@lukasIO lukasIO changed the title DC e2ee feature(e2ee): add data channel encryption Sep 19, 2025
@lukasIO lukasIO marked this pull request as ready for review September 19, 2025 12:35
ladvoc
ladvoc reviewed Sep 23, 2025
View reviewed changes
examples/encrypted_text_stream/src/main.rs
};

#[tokio::main]
async fn main() -> Result<(), Box<dyn Error>> {
Copy link
Contributor

@ladvoc ladvoc Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice example!

livekit/src/room/mod.rs Outdated
pub auto_subscribe: bool,
pub adaptive_stream: bool,
pub dynacast: bool,
#[deprecated(note = "Use `encryption` field instead, see x for a detailed explanation")]
Copy link
Contributor

@ladvoc ladvoc Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have something ready to link for "x"?

Copy link
Contributor Author

@lukasIO lukasIO Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

currently wip, will wait for the actual link to update and merge

@ladvoc ladvoc mentioned this pull request Sep 25, 2025
Closed
cloudwebrtc
cloudwebrtc approved these changes Sep 29, 2025
View reviewed changes
Copy link
Contributor

@cloudwebrtc cloudwebrtc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

lukasIO
lukasIO commented Sep 30, 2025
View reviewed changes
livekit/src/room/data_stream/incoming.rs
identity: String,
encryption_type: livekit_protocol::encryption::Type,
) {
let Ok(info) = AnyStreamInfo::try_from_with_encryption(header, encryption_type.into())
Copy link
Contributor Author

@lukasIO lukasIO Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ladvoc sorry, ended up messing with this anyways as I feel having the encryption type on the stream info does in fact make sense?
Let me know if you think that's unnecessary and I'll remove this again

Copy link
Contributor

@ladvoc ladvoc Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think it makes sense to enforce the encryption type specified in the header.

lukasIO
lukasIO commented Sep 30, 2025
View reviewed changes
livekit/src/room/data_stream/mod.rs
Internal,

#[error("encryption type mismatch")]
EncryptionTypeMismatch,
Copy link
Contributor Author

@lukasIO lukasIO Sep 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ladvoc is it ok to introduce this as a new error type? I think we also forgot non_exhaustive here?

lukasIO
lukasIO commented Sep 30, 2025
View reviewed changes
livekit/src/room/data_stream/mod.rs
type Error = StreamError;

fn try_from(mut header: proto::Header) -> Result<Self, Self::Error> {
Self::try_from_with_encryption(header, EncryptionType::None)
Copy link
Contributor Author

@lukasIO lukasIO Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we keep the new try_from_with_encryption, we could probably remove this one here

ladvoc
ladvoc approved these changes Sep 30, 2025
View reviewed changes
livekit/src/room/data_stream/incoming.rs
identity: String,
encryption_type: livekit_protocol::encryption::Type,
) {
let Ok(info) = AnyStreamInfo::try_from_with_encryption(header, encryption_type.into())
Copy link
Contributor

@ladvoc ladvoc Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think it makes sense to enforce the encryption type specified in the header.

@lukasIO lukasIO merged commit 785a7bb into main Oct 8, 2025
19 checks passed
@lukasIO lukasIO deleted the lukas/dc-e2ee branch October 8, 2025 14:07
@github-actions github-actions bot mentioned this pull request Oct 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ladvoc ladvoc ladvoc approved these changes

@cloudwebrtc cloudwebrtc cloudwebrtc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lukasIO @ladvoc @cloudwebrtc