Most DAVE-encrypted audio packets fail to decrypt (~95% failure rate)

[iPixzl]

Summary

Using davey 0.1.5 with py-cord for Discord voice receive (audio recording/STT). Transport-layer decryption (XChaCha20) works correctly and produces valid DAVE-encrypted frames with the 0xFAFA magic marker present. However, davey's DaveSession.decrypt() only successfully decrypts approximately 5% of packets. The remaining ~95% raise ValueError.

Environment

• OS: Windows 10 (x64)
• Python: 3.12.9
• davey: 0.1.5
• py-cord: 2.8.0rc2.dev36 (PR #3159 merge, includes vito1317's DAVE decryption fix)
• Discord encryption mode: aead_xchacha20_poly1305_rtpsize

Diagnostic Data

Added logging after transport-layer decrypt, before passing data to davey.DaveSession.decrypt():

DIAG #1:  raw_payload len=178 last4=710dfafa ends_FAFA=True extended=True rtpsize=True
DIAG #2:  raw_payload len=175 last4=710dfafa ends_FAFA=True extended=True rtpsize=True
DIAG #3:  raw_payload len=166 last4=710dfafa ends_FAFA=True extended=True rtpsize=True
DIAG #4:  raw_payload len=192 last4=0dfafa01 ends_FAFA=False extended=True rtpsize=True
DIAG #5:  raw_payload len=192 last4=710dfafa ends_FAFA=True extended=True rtpsize=True
DIAG #6:  raw_payload len=186 last4=05050505 ends_FAFA=False extended=True rtpsize=True
DIAG #7:  raw_payload len=186 last4=0f0f0f0f ends_FAFA=False extended=True rtpsize=True
DIAG #8:  raw_payload len=186 last4=020cfafa ends_FAFA=True extended=True rtpsize=True
DIAG #9:  raw_payload len=186 last4=030cfafa ends_FAFA=True extended=True rtpsize=True
DIAG #10: raw_payload len=168 last4=040cfafa ends_FAFA=True extended=True rtpsize=True
DIAG #500: raw_payload len=145 last4=0c0dfafa ends_FAFA=True extended=True rtpsize=True
DIAG #1000: raw_payload len=172 last4=180dfafa ends_FAFA=True extended=True rtpsize=True

~80% of frames have valid 0xFAFA magic markers, confirming the transport-layer decrypt is working correctly and producing valid DAVE application-layer encrypted frames.

Observed Behavior

• DaveSession.decrypt(user_id, MediaType.audio, raw_payload) raises ValueError for ~95% of packets
• The errors appear to be UnencryptedWhenPassthroughDisabled (for frames without the marker) and NoValidCryptorFound (for frames with the marker but failed cipher decryption)
• Only ~5% of packets decrypt successfully and produce valid Opus audio
• The sink receives approximately 200 chunks over 80 seconds (vs expected ~4000 at 50fps)

Expected Behavior

All frames with valid 0xFAFA magic markers should decrypt successfully, resulting in continuous audio receive from Discord voice channels.

Suspected Cause

Based on reviewing the davey source (cryptor/decryptor.rs), the issue may be in:

1. compute_wrapped_generation() — generation computation from truncated nonce may not match the sender's generation
2. can_process_nonce() — nonce validation may be rejecting valid packets due to tracking state being out of sync
3. Key ratchet synchronization — CipherManager may not have the correct cipher for the current generation, returning false from decrypt_impl()

Reproduction

1. Install davey + py-cord with DAVE voice receive support
2. Connect bot to a Discord voice channel
3. Have another user speak in the channel
4. Observe that DaveSession.decrypt() fails for ~95% of incoming frames despite valid DAVE-encrypted data being passed in

Additional Context

• The py-cord voice receive pipeline (RTP parsing, transport decrypt, extension header stripping) has been verified to produce correct data
• This was tested with the aead_xchacha20_poly1305_rtpsize encryption mode
• discord.js has similar DAVE receive issues tracked at discordjs/discord.js#11419

[Snazzah]

The davey package is not the issue here but the implementation of it in whatever library it is being used in.