add initial support for client certs

2017-05-28 21:16:46 +02:00 · 2017-05-28 21:16:46 +02:00 · da69797f31
commit da69797f31
parent 1630e82c7f
5 changed files with 83 additions and 1 deletions
--- a/MumbleCommunicator.cpp
+++ b/MumbleCommunicator.cpp
@ -76,6 +76,8 @@ void mumble::MumbleCommunicator::connect(MumbleCommunicatorConfig &config) {

    mumConfig = mumlib::MumlibConfiguration();
    mumConfig.opusEncoderBitrate = config.opusEncoderBitrate;
+    mumConfig.cert_file = config.cert_file;
+    mumConfig.privkey_file = config.privkey_file;

    mum.reset(new mumlib::Mumlib(*callback, ioService, mumConfig));
    callback->communicator = this;
--- a/MumbleCommunicator.hpp
+++ b/MumbleCommunicator.hpp
@ -26,6 +26,8 @@ namespace mumble {
        std::string user;
        std::string password;
        std::string host;
+        std::string cert_file;
+        std::string privkey_file;
        int opusEncoderBitrate;
        int port = 0;
        bool autodeaf;
--- a/config.ini.example
+++ b/config.ini.example
@ -30,12 +30,16 @@ channelNameExpression =
 # When here is no SIP connection, the mumble state is set to self_mute/self_deaf
 # so the other users can easily see whether the SIP is connected even when not
 # in the same group
-autodeaf = 0
+autodeaf = 1

 # Bitrate of Opus encoder in B/s
 # Adjust it if you need to meet the specific bandwidth requirements of Murmur server
 opusEncoderBitrate = 16000

+# Set to 1 to use client certificates. The certs must be named <user>-cert.pem and
+# the private keys <user>-key.pem.
+use_certs = 0
+
 [app]

 # Caller PIN needed to authenticate the phone call itself. The caller presses
--- a/main.cpp
+++ b/main.cpp
@ -228,6 +228,14 @@ int main(int argc, char *argv[]) {
                mumcom);

        mumbleConf.user = conf.getString("mumble.user") + '-' + std::to_string(i);
+        try {
+            if ( conf.getBool("mumble.use_certs") ) {
+                mumbleConf.cert_file = mumbleConf.user + "-cert.pem";
+                mumbleConf.privkey_file = mumbleConf.user + "-key.pem";
+            }
+        } catch (...) {
+            logger.info("Client certs not enabled in config");
+        }
        mumcom->connect(mumbleConf);
    }

--- a/make-client-certs.sh
+++ b/make-client-certs.sh
@ -0,0 +1,66 @@
+#!/bin/bash
+#
+# make-client-certs.sh - creates the client certs for registering with Mumble
+#
+# Usage:
+#
+#   make-client-certs.sh <username>
+#
+#   make-client-certs.sh <userprefix> <count>
+#
+# Notes:
+#
+# * The certs are self-signed and are not passphrase protected. Depending on
+#   the target environment and usage, this may or may not be OK. If you need
+#   a passphrase, you'll need to hack Mumlib.
+#
+# * The names are hard-coded in mumsi to match <username>-key.pem and 
+#   <username>-cert.pem. This is done to make it easier to configure multi-line
+#   functionality.
+#
+# * When generating files for a series of users, the counter is appended to the
+#   user name, from '0' to one less than the COUNT.
+
+function usage {
+    cat <<EOF
+Usage:
+
+    $0 username
+    $0 user-prefix count
+EOF
+    exit 1
+}
+
+USER="$1"
+COUNT="$2"
+
+# In this 'format', the %s is replaced with the user name generated in
+# the for loop.
+SUBJFMT="/C=DE/ST=HE/L=Ffm/O=Mumble Ext./CN=%s"
+
+if [ -z "$USER" ]; then
+    usage
+fi
+
+if [ -n "$3" ]; then
+    usage
+fi
+
+if [ -z "$COUNT" ]; then
+    COUNT=1
+fi
+
+for ((i=0; i<$COUNT; i++)) {
+    prefix="${USER}${i}"
+    subj=$(printf "$SUBJFMT" $prefix)
+
+    openssl req \
+        -nodes \
+        -new \
+        -x509 \
+        -keyout ${prefix}-key.pem \
+        -out ${prefix}-cert.pem \
+        -subj "$subj"
+}
+
+