From 17ebb274259b16f945a7a7e292cf945e0a4984f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Tille?= <josue@tille.ch>
Date: Mon, 26 Feb 2024 22:35:05 +0100
Subject: [PATCH] Remplement TLS/DTLS for calls

---
 conf/homeserver.yaml |  4 ++--
 conf/turnserver.conf |  7 +++++++
 config_panel.toml    | 10 ++++++++++
 scripts/_common.sh   |  6 ++++++
 scripts/install      |  2 ++
 scripts/upgrade      |  5 +++++
 6 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/conf/homeserver.yaml b/conf/homeserver.yaml
index 81dc75e..263384b 100644
--- a/conf/homeserver.yaml
+++ b/conf/homeserver.yaml
@@ -1181,7 +1181,7 @@ oembed:
 
 # The public URIs of the TURN server to give to clients
 #
-turn_uris: [ "turn:__DOMAIN__:__PORT_TURNSERVER_TLS__?transport=udp", "turn:__DOMAIN__:__PORT_TURNSERVER_TLS__?transport=tcp" ]
+__TURN_SERVER_CONFIG__
 
 # The shared secret used to compute passwords for the TURN server
 #
@@ -1195,7 +1195,7 @@ turn_shared_secret: "__TURNSERVER_PWD__"
 
 # How long generated TURN credentials last
 #
-turn_user_lifetime: 1h
+turn_user_lifetime: 12h
 
 # Whether guests should be allowed to use the TURN server.
 # This defaults to True, otherwise VoIP will be unreliable for guests.
diff --git a/conf/turnserver.conf b/conf/turnserver.conf
index 746f234..35ee0ae 100644
--- a/conf/turnserver.conf
+++ b/conf/turnserver.conf
@@ -26,4 +26,11 @@ log-file=/var/log/matrix-__APP__/turnserver.log
 pidfile=/run/coturn-__APP__/turnserver.pid
 simple-log
 
+# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
+user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
+total-quota=1200
+
+# Max time 12h
+max-allocate-lifetime=43200
+
 _TURN_EXTERNAL_IP_
diff --git a/config_panel.toml b/config_panel.toml
index 340db8b..4a28765 100644
--- a/config_panel.toml
+++ b/config_panel.toml
@@ -224,3 +224,13 @@ services = ["matrix-__APP__"]
             ask = "Shared Secret for Registration"
             type = "string"
             help = "Allows registration of standard or admin accounts, even if Registration disabled."
+
+    [advanced.security]
+    name = "Security"
+
+            [advanced.security.enable_dtls_for_audio_video_turn_call]
+            ask = "Enable TLS/DTLS on Audio/Video coll"
+            type = "boolean"
+            yes = "true"
+            no = "false"
+            help = "Enabling TLS/DTLS is really recommanded but it could bring some issues depending of the server certificate. There are some known issues with let's encrypt (https://github.com/element-hq/element-android/issues/1533), so if you have issues it could be better to disable this feature."
diff --git a/scripts/_common.sh b/scripts/_common.sh
index 52ae1c0..5294183 100755
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -95,6 +95,12 @@ configure_synapse() {
             done <<< "${allowed_local_3pids_msisdn},"
         fi
     fi
+    local turn_server_config=""
+    if $enable_dtls_for_audio_video_turn_call; then
+        turn_server_config='turn_uris: [ "stuns:'$domain:$port_turnserver_tls'?transport=dtls", "stuns:'$domain:$port_turnserver_tls'?transport=tls", "turns:'$domain:$port_turnserver_tls'?transport=dtls", "turns:'$domain:$port_turnserver_tls'?transport=tls" ]'
+    else
+        turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'?transport=udp", "turn:'$domain:$port_turnserver_tls'?transport=tcp" ]'
+    fi
 
     ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
     sed -i "s|_DOMAIN_WHITELIST_CLIENT_|$domain_whitelist_client|g" /etc/matrix-$app/homeserver.yaml
diff --git a/scripts/install b/scripts/install
index 3ceaeae..8aa7a78 100644
--- a/scripts/install
+++ b/scripts/install
@@ -43,6 +43,7 @@ notif_for_new_users="true"
 enable_group_creation="true"
 push_include_content="true"
 enable_3pid_lookup=false
+enable_dtls_for_audio_video_turn_call=true
 
 if [ "$is_free_registration" -eq 0 ]
 then
@@ -91,6 +92,7 @@ ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_
 ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
 ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
 ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
+ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
 
 #=================================================
 # STANDARD MODIFICATIONS
diff --git a/scripts/upgrade b/scripts/upgrade
index e6c3ed9..6a4c882 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -199,6 +199,11 @@ then
     push_include_content="true"
     ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
 fi
+if [ -z "${enable_dtls_for_audio_video_turn_call:-}" ]
+then
+    enable_dtls_for_audio_video_turn_call="true"
+    ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
+fi
 
 #=================================================
 # MIGRATION 7 : STANDARDIZE SYSTEMD UNIT