Where is a good place on server side to use "Insertable streams"??

[shalom-aviv]

Hi

Is it possible to add additional secure level (encrypt/decrypt with own algorithm params)?

[client 1] <-crypted with pwd1-> [Galene] <-crypted with pwd2-> [client 2]

For MVP to test idea I want implement next steps:

• clients and Galene have hardcoded pwd's and crypt algorithm params
• clients encrypt/decrypt data via insertable streams
• Galene encrypt/decrypt data via insertable streams

Is it possible at all? May be you can route me in galene code base and give some instructions? ;)

Thank you!

[jech]

I'm a little confused. The whole point of insertable streams is that the server does not know the encryption keys, so that you get end-to-end authentication. Almost all of the support should happen on the client side:

• negotiation of end-to-end keys, for example using a Diffie-Hellman exchange using the "usermessage" mechanism;
• encryption on the sender side and decryption on the client side.

As far as I can see, the only change necessary on the server side should be to ensure that the Keyframe function in codec.go returns (false, false) in the case of an end-to-end encrypted stream. You should also ensure that saving an end-to-end encrypted stream fails cleanly.

[shalom-aviv]

@jech Thanks for answer!

Clients and server will receive their keys via other channels from outside of Galene. The idea is to add additional encryption with own proprietary algorithm between the server and clients. The server is trusted and it can have access to the decrypted stream.

[jech]

Ah, I see.

Packet reception happens here: https://github.com/jech/galene/blob/master/rtpconn/rtpreader.go#L61 Packet emission happens here: https://github.com/jech/galene/blob/master/rtpconn/rtpconn.go#L224

Note that (*rtpDownTrack) Write may be called from multiple threads simultaneously, so make sure that you do proper locking if you add state.

[shalom-aviv]

@jech Thank you!