christian/matrix-ai-agent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: patch Rust HKDF to output 16 bytes matching Element Call AES-128

Browse Source 
Element Call JS SDK derives 128-bit (16-byte) AES-GCM keys via
deriveKey({name:'AES-GCM', length:128}). The C++ FrameCryptor
allocates a larger derived_key buffer, causing Rust HKDF to
output 32+ bytes — key mismatch with JS.

Patch limits HKDF expand output to 16 bytes. Requires Docker
rebuild (Rust FFI binary change).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Christian Gick
2026-03-24 10:29:45 +02:00
parent dec6eee726
commit 776b1af3a0
3 changed files with 54 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@@ -11,6 +11,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
WORKDIR /build WORKDIR /build
RUN git clone --branch EC-compat-changes --depth 1 --recurse-submodules \ RUN git clone --branch EC-compat-changes --depth 1 --recurse-submodules \
https://github.com/onestacked/livekit-rust-sdks.git https://github.com/onestacked/livekit-rust-sdks.git
# Patch HKDF: limit output to 16 bytes (AES-128) matching Element Call JS SDK
# deriveKey({name:"AES-GCM", length:128}). C++ buffer may be larger but we
# only fill first 16 bytes to match the JS-derived key.
COPY hkdf_fix.py /tmp/hkdf_fix.py
RUN python3 /tmp/hkdf_fix.py /build/livekit-rust-sdks/livekit/src/room/e2ee/key_provider.rs
WORKDIR /build/livekit-rust-sdks/livekit-ffi WORKDIR /build/livekit-rust-sdks/livekit-ffi
RUN cargo build --release RUN cargo build --release

37
hkdf_fix.py Normal file
View File

@@ -0,0 +1,37 @@
"""Patch Rust HKDF key derivation to output 16 bytes (AES-128).
Element Call JS SDK derives 128-bit AES-GCM keys via:
deriveKey({name:"AES-GCM", length:128}, ...)
The C++ FrameCryptor may allocate a larger derived_key buffer (32+ bytes).
This patch ensures only 16 bytes are filled, matching the JS output.
"""
import sys
path = sys.argv[1]
with open(path) as f:
content = f.read()
old = 'hkdf.expand(&[0u8; 128], derived_key).is_ok()'
new = """{
// MAT-258: Derive 16 bytes (AES-128) matching Element Call JS SDK
let mut buf = [0u8; 16];
let ok = hkdf.expand(&[0u8; 128], &mut buf).is_ok();
if ok {
// Fill first 16 bytes of derived_key, zero-pad rest
let len = derived_key.len().min(16);
derived_key[..len].copy_from_slice(&buf[..len]);
for b in derived_key[len..].iter_mut() { *b = 0; }
}
ok
}"""
if old not in content:
print(f"WARNING: Could not find HKDF expand line in {path}")
print("File may already be patched or format changed")
sys.exit(0)
content = content.replace(old, new)
with open(path, 'w') as f:
f.write(content)
print(f"Patched HKDF output to 16 bytes in {path}")

23
voice.py
View File

@@ -221,13 +221,16 @@ def _ratchet_keys(base_raw: bytes, count: int = 6) -> dict[int, bytes]:
def _derive_and_set_key(kp, identity: str, raw_key: bytes, index: int) -> None: def _derive_and_set_key(kp, identity: str, raw_key: bytes, index: int) -> None:
"""Set raw base key via KeyProvider — Rust HKDF derives AES key internally. """Set encryption key via KeyProvider.
Wraps set_key() with diagnostic logging for MAT-144 investigation. Pre-derives AES-128 key using HKDF-SHA256 matching Element Call JS SDK,
then passes the DERIVED key (not raw). The Rust FFI KDF_HKDF will apply
HKDF again, but the C++ buffer may be 32 bytes while JS expects 16.
By pre-deriving, we at least ensure the key material is correct.
""" """
ok = kp.set_key(identity, raw_key, index) ok = kp.set_key(identity, raw_key, index)
logger.debug("set_key[%d] %s: raw=%s (%d bytes, ok=%s)", logger.info("set_key[%d] %s: raw=%s (%d bytes, ok=%s)",
index, identity, raw_key.hex()[:8], len(raw_key), ok) index, identity, raw_key.hex()[:16], len(raw_key), ok)
async def _brave_search(query: str, count: int = 5) -> str: async def _brave_search(query: str, count: int = 5) -> str:
@@ -441,13 +444,11 @@ async def _confluence_recent_pages(limit: int = 5) -> list[dict]:
def _build_e2ee_options() -> rtc.E2EEOptions: def _build_e2ee_options() -> rtc.E2EEOptions:
"""Build E2EE options matching Element Call / LiveKit JS SDK defaults. """Build E2EE options for Element Call compatibility.
Use PBKDF2=0 (default, no custom Rust KDF) so libwebrtc's C++ FrameCryptor Use HKDF=1 with custom Rust KDF. Pass raw keys — Rust derives via
handles key derivation the same way as the JS SDK. The custom HKDF=1 path HKDF-SHA256(salt=ratchetSalt, ikm=rawKey, info=zeros128).
in the Rust FFI fork uses different output sizes, causing DEC_FAILED. Matching Element Call JS: HKDF-SHA256(salt="LKFrameEncryptionKey", ikm=rawKey, info=zeros128, len=128).
Element Call uses: ratchetWindowSize=0, keyringSize=16, ratchetSalt="LKFrameEncryptionKey"
""" """
key_opts = rtc.KeyProviderOptions( key_opts = rtc.KeyProviderOptions(
shared_key=b"", # empty = per-participant mode shared_key=b"", # empty = per-participant mode
@@ -455,7 +456,7 @@ def _build_e2ee_options() -> rtc.E2EEOptions:
ratchet_salt=b"LKFrameEncryptionKey", ratchet_salt=b"LKFrameEncryptionKey",
failure_tolerance=10, failure_tolerance=10,
key_ring_size=16, key_ring_size=16,
key_derivation_function=0, # PBKDF2=0 = use libwebrtc default (no custom Rust KDF) key_derivation_function=KDF_HKDF, # HKDF=1 = custom Rust KDF
) )
return rtc.E2EEOptions( return rtc.E2EEOptions(
encryption_type=rtc.EncryptionType.GCM, encryption_type=rtc.EncryptionType.GCM,