From 374a197513f604387c481e866f638b2059c62aae Mon Sep 17 00:00:00 2001 From: dan Date: Mon, 30 Jan 2023 07:43:58 -0800 Subject: [PATCH] Encrypted pubkey for listening ports: - created option to add encrypted listeners with paired pubkeys in unordered_map, plus access verification - pubkeys stored in unordered set, changed lambda for listen_curve - pubkeys are comma-delimited and paired with bind address in config file --- llarp/config/config.cpp | 42 ++++++++++++++++++++++++++++++++++++++--- llarp/config/config.hpp | 3 +++ 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/llarp/config/config.cpp b/llarp/config/config.cpp index eda628dda0..fc021187bb 100644 --- a/llarp/config/config.cpp +++ b/llarp/config/config.cpp @@ -1,6 +1,7 @@ #include "config.hpp" #include "definition.hpp" #include "ini.hpp" +#include "oxenmq/address.h" #include #include @@ -1152,10 +1153,45 @@ namespace llarp "Recommend localhost-only for security purposes.", }); - conf.defineOption("api", "authkey", Deprecated); + conf.defineOption( + "api", + "bind_curve", + Default{""}, + MultiValue, + [this](std::string arg) mutable { + if (arg.empty()) + return; + + auto pipe = arg.find("|"); + + if (pipe == arg.npos) + throw std::invalid_argument( + "Addresses and whitelisted pubkeys must be pipe-delimited key:value pairs"); + + auto key = arg.substr(0, pipe), values = arg.substr(pipe + 1, arg.npos); - // TODO: this was from pre-refactor: - // TODO: add pubkey to whitelist + if (not starts_with(key, "tcp://")) + key = "tcp://" + key; + + auto pubkeys = split(values, ",", true); + + for (auto& pk : pubkeys) + m_rpcEncryptedAddresses[oxenmq::address{key}].emplace(pk); + }, + Comment{ + "Specify encrypted listener addresses and comma-delimited public keys to be accepted ", + "by exposed encrypted listener. Keys must be attached to a listener address.", + "", + "Example: ", + " bind_curve=tcp://0.0.0.0:1234|pubkeyA,pubkeyB", + " bind_curve=tcp://0.0.0.0:5678|pubkeyC,pubkeyD", + "", + "In the given example above, port 1234 is only accessible by whitelisted ", + "pubkeys A and B, while 5678 is accessible by C and D.", + "", + "Note: tcp addresses passed without \"tcp://\" prefix will have it prepended"}); + + conf.defineOption("api", "authkey", Deprecated); } void diff --git a/llarp/config/config.hpp b/llarp/config/config.hpp index 3165f03543..5e9284795d 100644 --- a/llarp/config/config.hpp +++ b/llarp/config/config.hpp @@ -1,6 +1,7 @@ #pragma once #include "ini.hpp" #include "definition.hpp" +#include "oxenmq/auth.h" #include @@ -26,6 +27,7 @@ #include #include #include +#include #include @@ -190,6 +192,7 @@ namespace llarp { bool m_enableRPCServer = false; std::vector m_rpcBindAddresses; + std::unordered_map> m_rpcEncryptedAddresses; void defineConfigOptions(ConfigDefinition& conf, const ConfigGenParameters& params);