From 109892b4b754e1666d4f00d9aec6356b46093668 Mon Sep 17 00:00:00 2001
From: Moritz Bitsch <moritz@h6t.eu>
Date: Fri, 1 Oct 2021 15:53:16 +0200
Subject: [PATCH 1/2] Implement turn server settings

this fills out the infos in /_matrix/client/r0/voip/turnServer with
values specified in the server config
---
 src/client_server/voip.rs | 14 +++++++-------
 src/database.rs           | 12 ++++++++++++
 src/database/globals.rs   | 16 ++++++++++++++++
 3 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/src/client_server/voip.rs b/src/client_server/voip.rs
index 2a7f28e1..83f39a48 100644
--- a/src/client_server/voip.rs
+++ b/src/client_server/voip.rs
@@ -1,4 +1,4 @@
-use crate::ConduitResult;
+use crate::{database::DatabaseGuard, ConduitResult};
 use ruma::api::client::r0::voip::get_turn_server_info;
 use std::time::Duration;
 
@@ -9,13 +9,13 @@ use rocket::get;
 ///
 /// TODO: Returns information about the recommended turn server.
 #[cfg_attr(feature = "conduit_bin", get("/_matrix/client/r0/voip/turnServer"))]
-#[tracing::instrument]
-pub async fn turn_server_route() -> ConduitResult<get_turn_server_info::Response> {
+#[tracing::instrument(skip(db))]
+pub async fn turn_server_route(db: DatabaseGuard) -> ConduitResult<get_turn_server_info::Response> {
     Ok(get_turn_server_info::Response {
-        username: "".to_owned(),
-        password: "".to_owned(),
-        uris: Vec::new(),
-        ttl: Duration::from_secs(60 * 60 * 24),
+        username: db.globals.turn_username().clone(),
+        password: db.globals.turn_password().clone(),
+        uris: db.globals.turn_uris().to_vec(),
+        ttl: Duration::from_secs(db.globals.turn_ttl()),
     }
     .into())
 }
diff --git a/src/database.rs b/src/database.rs
index 8cf4f640..85213c00 100644
--- a/src/database.rs
+++ b/src/database.rs
@@ -74,6 +74,14 @@ pub struct Config {
     trusted_servers: Vec<Box<ServerName>>,
     #[serde(default = "default_log")]
     pub log: String,
+    #[serde(default)]
+    turn_username: String,
+    #[serde(default)]
+    turn_password: String,
+    #[serde(default = "Vec::new")]
+    turn_uris: Vec<String>,
+    #[serde(default = "default_turn_ttl")]
+    turn_ttl: u64,
 
     #[serde(flatten)]
     catchall: BTreeMap<String, IgnoredAny>,
@@ -131,6 +139,10 @@ fn default_log() -> String {
     "info,state_res=warn,rocket=off,_=off,sled=off".to_owned()
 }
 
+fn default_turn_ttl() -> u64 {
+    60 * 60 * 24
+}
+
 #[cfg(feature = "sled")]
 pub type Engine = abstraction::sled::Engine;
 
diff --git a/src/database/globals.rs b/src/database/globals.rs
index f1cbbd92..7338f1ed 100644
--- a/src/database/globals.rs
+++ b/src/database/globals.rs
@@ -226,6 +226,22 @@ impl Globals {
         self.jwt_decoding_key.as_ref()
     }
 
+    pub fn turn_password(&self) -> &String {
+        &self.config.turn_password
+    }
+
+    pub fn turn_ttl(&self) -> u64 {
+        self.config.turn_ttl
+    }
+
+    pub fn turn_uris(&self) -> &[String] {
+        &self.config.turn_uris
+    }
+
+    pub fn turn_username(&self) -> &String {
+        &self.config.turn_username
+    }
+
     /// TODO: the key valid until timestamp is only honored in room version > 4
     /// Remove the outdated keys and insert the new ones.
     ///

From 9fccbb014a3297961fd169ce12363564e56afbc3 Mon Sep 17 00:00:00 2001
From: Moritz Bitsch <moritz@h6t.eu>
Date: Sat, 2 Oct 2021 00:37:39 +0200
Subject: [PATCH 2/2] Implement TURN server authentication with hmac

This is a prefered method to allow limited access to the TURN server
---
 Cargo.lock                | 35 +++++++++++++++++++++++++++
 Cargo.toml                |  3 +++
 src/client_server/voip.rs | 51 +++++++++++++++++++++++++++++++++------
 src/database.rs           |  2 ++
 src/database/globals.rs   |  4 +++
 5 files changed, 88 insertions(+), 7 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 293bcff7..68293896 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -245,6 +245,7 @@ dependencies = [
  "crossbeam",
  "directories",
  "heed",
+ "hmac",
  "http",
  "image",
  "jsonwebtoken",
@@ -266,6 +267,7 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_yaml",
+ "sha-1",
  "sled",
  "thiserror",
  "thread_local",
@@ -428,6 +430,16 @@ dependencies = [
  "lazy_static",
 ]
 
+[[package]]
+name = "crypto-mac"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1d1a86f49236c215f271d40892d5fc950490551400b02ef360692c29815c714"
+dependencies = [
+ "generic-array",
+ "subtle",
+]
+
 [[package]]
 name = "curve25519-dalek"
 version = "3.2.0"
@@ -897,6 +909,16 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "hmac"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a2a2320eb7ec0ebe8da8f744d7812d9fc4cb4d09344ac01898dbcb6a20ae69b"
+dependencies = [
+ "crypto-mac",
+ "digest",
+]
+
 [[package]]
 name = "hostname"
 version = "0.3.1"
@@ -2422,6 +2444,19 @@ dependencies = [
  "yaml-rust",
 ]
 
+[[package]]
+name = "sha-1"
+version = "0.9.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99cd6713db3cf16b6c84e06321e049a9b9f699826e16096d23bbcc44d15d51a6"
+dependencies = [
+ "block-buffer",
+ "cfg-if 1.0.0",
+ "cpufeatures",
+ "digest",
+ "opaque-debug",
+]
+
 [[package]]
 name = "sha1"
 version = "0.6.0"
diff --git a/Cargo.toml b/Cargo.toml
index 13a7af44..fc83d11b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -79,6 +79,9 @@ num_cpus = "1.13.0"
 threadpool = "1.8.1"
 heed = { git = "https://github.com/timokoesters/heed.git", rev = "f6f825da7fb2c758867e05ad973ef800a6fe1d5d", optional = true }
 thread_local = "1.1.3"
+# used for TURN server authentication
+hmac = "0.11.0"
+sha-1 = "0.9.8"
 
 [features]
 default = ["conduit_bin", "backend_sqlite"]
diff --git a/src/client_server/voip.rs b/src/client_server/voip.rs
index 83f39a48..9c3b20d4 100644
--- a/src/client_server/voip.rs
+++ b/src/client_server/voip.rs
@@ -1,6 +1,11 @@
-use crate::{database::DatabaseGuard, ConduitResult};
+use crate::{database::DatabaseGuard, ConduitResult, Ruma};
+use hmac::{Hmac, Mac, NewMac};
 use ruma::api::client::r0::voip::get_turn_server_info;
-use std::time::Duration;
+use ruma::SecondsSinceUnixEpoch;
+use sha1::Sha1;
+use std::time::{Duration, SystemTime};
+
+type HmacSha1 = Hmac<Sha1>;
 
 #[cfg(feature = "conduit_bin")]
 use rocket::get;
@@ -8,12 +13,44 @@ use rocket::get;
 /// # `GET /_matrix/client/r0/voip/turnServer`
 ///
 /// TODO: Returns information about the recommended turn server.
-#[cfg_attr(feature = "conduit_bin", get("/_matrix/client/r0/voip/turnServer"))]
-#[tracing::instrument(skip(db))]
-pub async fn turn_server_route(db: DatabaseGuard) -> ConduitResult<get_turn_server_info::Response> {
+#[cfg_attr(
+    feature = "conduit_bin",
+    get("/_matrix/client/r0/voip/turnServer", data = "<body>")
+)]
+#[tracing::instrument(skip(body, db))]
+pub async fn turn_server_route(
+    body: Ruma<get_turn_server_info::Request>,
+    db: DatabaseGuard,
+) -> ConduitResult<get_turn_server_info::Response> {
+    let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+
+    let turn_secret = db.globals.turn_secret();
+
+    let (username, password) = if turn_secret != "" {
+        let expiry = SecondsSinceUnixEpoch::from_system_time(
+            SystemTime::now() + Duration::from_secs(db.globals.turn_ttl()),
+        )
+        .expect("time is valid");
+
+        let username: String = format!("{}:{}", expiry.get(), sender_user);
+
+        let mut mac = HmacSha1::new_from_slice(turn_secret.as_bytes())
+            .expect("HMAC can take key of any size");
+        mac.update(username.as_bytes());
+
+        let password: String = base64::encode_config(mac.finalize().into_bytes(), base64::STANDARD);
+
+        (username, password)
+    } else {
+        (
+            db.globals.turn_username().clone(),
+            db.globals.turn_password().clone(),
+        )
+    };
+
     Ok(get_turn_server_info::Response {
-        username: db.globals.turn_username().clone(),
-        password: db.globals.turn_password().clone(),
+        username: username,
+        password: password,
         uris: db.globals.turn_uris().to_vec(),
         ttl: Duration::from_secs(db.globals.turn_ttl()),
     }
diff --git a/src/database.rs b/src/database.rs
index 85213c00..080e24b3 100644
--- a/src/database.rs
+++ b/src/database.rs
@@ -80,6 +80,8 @@ pub struct Config {
     turn_password: String,
     #[serde(default = "Vec::new")]
     turn_uris: Vec<String>,
+    #[serde(default)]
+    turn_secret: String,
     #[serde(default = "default_turn_ttl")]
     turn_ttl: u64,
 
diff --git a/src/database/globals.rs b/src/database/globals.rs
index 7338f1ed..05ecb568 100644
--- a/src/database/globals.rs
+++ b/src/database/globals.rs
@@ -242,6 +242,10 @@ impl Globals {
         &self.config.turn_username
     }
 
+    pub fn turn_secret(&self) -> &String {
+        &self.config.turn_secret
+    }
+
     /// TODO: the key valid until timestamp is only honored in room version > 4
     /// Remove the outdated keys and insert the new ones.
     ///