feat: HkdfSha256 key derivation.#224
Merged
cloudwebrtc merged 8 commits intom137_releasefrom Mar 6, 2026
Merged
Conversation
|
can you add some tests to make sure things work ? |
| const std::vector<uint8_t>& salt, | ||
| unsigned int optional_length_bits, | ||
| std::vector<uint8_t>& derived_key) { | ||
| size_t key_size_bytes = optional_length_bits / 8; |
There was a problem hiding this comment.
add a assert to make sure optional_length_bits is a multiple of 8
| RTC_LOG(LS_ERROR) << "Failed to derive HkdfSha256 key from secret."; | ||
| return ErrorUnexpected; | ||
| } | ||
| RTC_LOG(LS_INFO) << "secret " |
There was a problem hiding this comment.
should you use LS_DEBUG rather than LS_INFO ? btw, is the log necessary ?
xianshijing-lk
approved these changes
Mar 2, 2026
xianshijing-lk
left a comment
There was a problem hiding this comment.
lgtm assuming you will address all the comments and add the unit tests
86d5137 to
3f238c2
Compare
|
Is this intended to replace #223? |
Member
Author
|
Hi @onestacked, yeah, we considered that besides Rust SDKs, other native SDKs (Swift/Android/Flutter/RN) also need to support HKDF key derivation. Therefore, passing a flag through KeyProviderOptions has the least impact on all platforms. |
Alright I guess this is reasonable, I mostly took the callback approach to reduce the C++ side changes as much as possible and to be as flexible as possible. |
|
I have tried this out with matrix-jukebox (and a locally patched livekit-sdk) and it works with Element Call. |
This was referenced Mar 5, 2026
cloudwebrtc
added a commit
that referenced
this pull request
Mar 6, 2026
This was referenced Mar 6, 2026
theomonnom
pushed a commit
to livekit/rust-sdks
that referenced
this pull request
Mar 23, 2026
> [!IMPORTANT] > Merging this pull request will create these releases # libwebrtc 0.3.27 (2026-03-22) ## Features ### E2EE: allow setting key_ring_size and key_derivation_algorithm, update webrtc to m144 #921 by @onestacked This PR uses [this webrtc-sdk PR](webrtc-sdk/webrtc#224) to configure the KDF. I've tested this with https://codeberg.org/esoteric_programmer/matrix-jukebox and it is compatible with Element Call. Fixed: #796 ## Fixes - Fix H.264 codec matching ### add bounded buffer to audio_stream, and use 10 frames as the default #945 by @xianshijing-lk ### fix clang build issue from zed patches (#949) #950 by @cloudwebrtc * webrtc-sys: Use clang instead of gcc * Debug CI output for aarch64-linux * ci: Install lld for aarch64-linux FFI builders * webrtc-sys: Disable CREL # livekit 0.7.34 (2026-03-22) ## Features ### E2EE: allow setting key_ring_size and key_derivation_algorithm, update webrtc to m144 #921 by @onestacked This PR uses [this webrtc-sdk PR](webrtc-sdk/webrtc#224) to configure the KDF. I've tested this with https://codeberg.org/esoteric_programmer/matrix-jukebox and it is compatible with Element Call. Fixed: #796 ## Fixes - Add disconnectReason to Room::close - End-to-end testing for video streams - Fix H.264 codec matching ### add bounded buffer to audio_stream, and use 10 frames as the default #945 by @xianshijing-lk ### fix PC timeout when connecting with can_subscribe=false #955 by @s-hamdananwar When a participant connects with `canSubscribe=false` in their token, the server sends `subscriber_primary=false` in the JoinResponse and does not send a subscriber offer. This results in `wait_pc_connection` timing out as it is expecting a subscriber PC even when the publisher PC is primary. This PR will skip waiting for subscriber PC when `subscriber_primary=false`. ### Send client os and os_version from rust #952 by @MaxHeimbrock Adds [os_info](https://crates.io/crates/os_info) crate as dependency and sends the data for client connections. # livekit-ffi 0.12.50 (2026-03-22) ## Features ### E2EE: allow setting key_ring_size and key_derivation_algorithm, update webrtc to m144 #921 by @onestacked This PR uses [this webrtc-sdk PR](webrtc-sdk/webrtc#224) to configure the KDF. I've tested this with https://codeberg.org/esoteric_programmer/matrix-jukebox and it is compatible with Element Call. Fixed: #796 ## Fixes - Fix H.264 codec matching ### add bounded buffer to audio_stream, and use 10 frames as the default #945 by @xianshijing-lk ### Send client os and os_version from rust #952 by @MaxHeimbrock Adds [os_info](https://crates.io/crates/os_info) crate as dependency and sends the data for client connections. # webrtc-sys 0.3.25 (2026-03-22) ## Fixes - fix: enable AGC2 adaptive digital controller - Fix H.264 codec matching ### E2EE: allow setting key_ring_size and key_derivation_algorithm, update webrtc to m144 #921 by @onestacked This PR uses [this webrtc-sdk PR](webrtc-sdk/webrtc#224) to configure the KDF. I've tested this with https://codeberg.org/esoteric_programmer/matrix-jukebox and it is compatible with Element Call. Fixed: #796 ### fix clang build issue from zed patches (#949) #950 by @cloudwebrtc * webrtc-sys: Use clang instead of gcc * Debug CI output for aarch64-linux * ci: Install lld for aarch64-linux FFI builders * webrtc-sys: Disable CREL # livekit-datatrack 0.1.1 (2026-03-22) ## Features - Initial release. # webrtc-sys-build 0.3.14 (2026-03-22) ## Fixes ### fix: Bump webrtc build to fix build for Android JNI prefixed. #954 by @cloudwebrtc ### fix clang build issue from zed patches (#949) #950 by @cloudwebrtc * webrtc-sys: Use clang instead of gcc * Debug CI output for aarch64-linux * ci: Install lld for aarch64-linux FFI builders * webrtc-sys: Disable CREL # livekit-protocol 0.7.2 (2026-03-22) ## Fixes - Add disconnectReason to Room::close # livekit-api 0.4.16 (2026-03-22) ## Fixes ### Send client os and os_version from rust #952 by @MaxHeimbrock Adds [os_info](https://crates.io/crates/os_info) crate as dependency and sends the data for client connections. Co-authored-by: knope-bot[bot] <152252888+knope-bot[bot]@users.noreply.github.com>
ank1n
pushed a commit
to ank1n/client-sdk-swift
that referenced
this pull request
Mar 28, 2026
Added useHKDF option to KeyProviderOptions. When enabled, uses RTCKeyDerivationAlgorithmHKDF instead of PBKDF2. This enables E2EE compatibility between native SDK and JS SDK. Requires webrtc-xcframework >= 144.7559.02 which includes webrtc-sdk/webrtc#224 (HkdfSha256 key derivation).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.