From 845dccc2bb5f32a005c34181f9c5081e037f71eb Mon Sep 17 00:00:00 2001
From: Juliusz Chroboczek <jch@irif.fr>
Date: Fri, 1 Jan 2021 23:50:34 +0100
Subject: [PATCH] Implement coturn's use-auth-secret.

---
 README       | 14 +++++++-------
 group/ice.go | 27 +++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/README b/README
index 1705509..a18bc82 100644
--- a/README
+++ b/README
@@ -26,9 +26,9 @@ case of Academic and Enterprise networks), then you will need a TURN
 server running on an innocent-looking TCP port.  This is the recommended
 setup.
 
-You should probably be running your own TURN server — I use *coturn*.  The
-address of the TURN server is configured in the file `data/ice-servers.json`.
-It should look like this:
+You should probably be running your own TURN server.  The address of the
+TURN server is configured in the file `data/ice-servers.json`.  It should
+look like this:
 
     [
         {
@@ -36,13 +36,13 @@ It should look like this:
                 "turn:turn.example.com:443",
                 "turn:turn.example.com:443?transport=tcp"
             ],
-            "username": "username",
-            "credential": "password"
+            "username": "galene",
+            "credential": "secret"
         }
     ]
 
-The port number, username and password should be the same as the ones in
-your TURN server's configuration.
+If you use coturn's `use-auth-secret` option, set `credentialType` to
+`hmac-sha1`.
 
 ## Set up a group
 
diff --git a/group/ice.go b/group/ice.go
index 246ae00..e7f3fec 100644
--- a/group/ice.go
+++ b/group/ice.go
@@ -1,8 +1,13 @@
 package group
 
 import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha1"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"log"
 	"os"
 	"sync/atomic"
@@ -29,6 +34,28 @@ func getICEServer(server ICEServer) (webrtc.ICEServer, error) {
 		s.CredentialType = webrtc.ICECredentialTypePassword
 	case "oauth":
 		s.CredentialType = webrtc.ICECredentialTypeOauth
+	case "hmac-sha1":
+		cred, ok := server.Credential.(string)
+		if !ok {
+			return webrtc.ICEServer{},
+				errors.New("credential is not a string")
+		}
+		ts := time.Now().Unix() + 86400
+		var username string
+		if server.Username == "" {
+			username = fmt.Sprintf("%d", ts)
+		} else {
+			username = fmt.Sprintf("%d:%s", ts, server.Username)
+		}
+		mac := hmac.New(sha1.New, []byte(cred))
+		mac.Write([]byte(username))
+		buf := bytes.Buffer{}
+		e := base64.NewEncoder(base64.StdEncoding, &buf)
+		e.Write(mac.Sum(nil))
+		e.Close()
+		s.Username = username
+		s.Credential = string(buf.Bytes())
+		s.CredentialType = webrtc.ICECredentialTypePassword
 	default:
 		return webrtc.ICEServer{}, errors.New("unsupported credential type")
 	}