Browse Source

add initial support for client certs

Scott Hardin 5 years ago
parent
commit
da69797f31
5 changed files with 83 additions and 1 deletions
  1. 2 0
      MumbleCommunicator.cpp
  2. 2 0
      MumbleCommunicator.hpp
  3. 5 1
      config.ini.example
  4. 8 0
      main.cpp
  5. 66 0
      make-client-certs.sh

+ 2 - 0
MumbleCommunicator.cpp

@@ -76,6 +76,8 @@ void mumble::MumbleCommunicator::connect(MumbleCommunicatorConfig &config) {
 
     mumConfig = mumlib::MumlibConfiguration();
     mumConfig.opusEncoderBitrate = config.opusEncoderBitrate;
+    mumConfig.cert_file = config.cert_file;
+    mumConfig.privkey_file = config.privkey_file;
 
     mum.reset(new mumlib::Mumlib(*callback, ioService, mumConfig));
     callback->communicator = this;

+ 2 - 0
MumbleCommunicator.hpp

@@ -26,6 +26,8 @@ namespace mumble {
         std::string user;
         std::string password;
         std::string host;
+        std::string cert_file;
+        std::string privkey_file;
         int opusEncoderBitrate;
         int port = 0;
         bool autodeaf;

+ 5 - 1
config.ini.example

@@ -30,12 +30,16 @@ channelNameExpression =
 # When here is no SIP connection, the mumble state is set to self_mute/self_deaf
 # so the other users can easily see whether the SIP is connected even when not
 # in the same group
-autodeaf = 0
+autodeaf = 1
 
 # Bitrate of Opus encoder in B/s
 # Adjust it if you need to meet the specific bandwidth requirements of Murmur server
 opusEncoderBitrate = 16000
 
+# Set to 1 to use client certificates. The certs must be named <user>-cert.pem and
+# the private keys <user>-key.pem.
+use_certs = 0
+
 [app]
 
 # Caller PIN needed to authenticate the phone call itself. The caller presses

+ 8 - 0
main.cpp

@@ -228,6 +228,14 @@ int main(int argc, char *argv[]) {
                 mumcom);
 
         mumbleConf.user = conf.getString("mumble.user") + '-' + std::to_string(i);
+        try {
+            if ( conf.getBool("mumble.use_certs") ) {
+                mumbleConf.cert_file = mumbleConf.user + "-cert.pem";
+                mumbleConf.privkey_file = mumbleConf.user + "-key.pem";
+            }
+        } catch (...) {
+            logger.info("Client certs not enabled in config");
+        }
         mumcom->connect(mumbleConf);
     }
 

+ 66 - 0
make-client-certs.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+#
+# make-client-certs.sh - creates the client certs for registering with Mumble
+#
+# Usage:
+#
+#   make-client-certs.sh <username>
+#
+#   make-client-certs.sh <userprefix> <count>
+#
+# Notes:
+#
+# * The certs are self-signed and are not passphrase protected. Depending on
+#   the target environment and usage, this may or may not be OK. If you need
+#   a passphrase, you'll need to hack Mumlib.
+#
+# * The names are hard-coded in mumsi to match <username>-key.pem and 
+#   <username>-cert.pem. This is done to make it easier to configure multi-line
+#   functionality.
+#
+# * When generating files for a series of users, the counter is appended to the
+#   user name, from '0' to one less than the COUNT.
+
+function usage {
+    cat <<EOF
+Usage:
+
+    $0 username
+    $0 user-prefix count
+EOF
+    exit 1
+}
+
+USER="$1"
+COUNT="$2"
+
+# In this 'format', the %s is replaced with the user name generated in
+# the for loop.
+SUBJFMT="/C=DE/ST=HE/L=Ffm/O=Mumble Ext./CN=%s"
+
+if [ -z "$USER" ]; then
+    usage
+fi
+
+if [ -n "$3" ]; then
+    usage
+fi
+
+if [ -z "$COUNT" ]; then
+    COUNT=1
+fi
+
+for ((i=0; i<$COUNT; i++)) {
+    prefix="${USER}${i}"
+    subj=$(printf "$SUBJFMT" $prefix)
+
+    openssl req \
+        -nodes \
+        -new \
+        -x509 \
+        -keyout ${prefix}-key.pem \
+        -out ${prefix}-cert.pem \
+        -subj "$subj"
+}
+
+