Skip to content

Commit

Permalink
Encrypted pubkey for listening ports:
Browse files Browse the repository at this point in the history
- created option to add encrypted listeners with paired pubkeys in unordered_map, plus access verification
- pubkeys stored in unordered set, changed lambda for listen_curve
- pubkeys are comma-delimited and paired with bind address in config file
  • Loading branch information
dr7ana committed Jan 30, 2023
1 parent 1a8e1b8 commit d4b47db
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 7 deletions.
42 changes: 37 additions & 5 deletions llarp/config/config.cpp
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#include "config.hpp"
#include "definition.hpp"
#include "ini.hpp"
#include "oxenmq/address.h"

#include <llarp/constants/files.hpp>
#include <llarp/constants/platform.hpp>
Expand Down Expand Up @@ -1130,8 +1131,6 @@ namespace llarp
"Determines whether or not the LMQ JSON API is enabled. Defaults ",
});

conf.defineOption<std::string>();

conf.defineOption<std::string>(
"api",
"bind",
Expand All @@ -1154,10 +1153,43 @@ namespace llarp
"Recommend localhost-only for security purposes.",
});

conf.defineOption<std::string>("api", "authkey", Deprecated);
conf.defineOption<std::string>(
"api",
"bind_curve",
Default{""},
MultiValue,
[this](std::string arg) mutable {
if (arg.empty())
return;

auto pipe = arg.find("|");

if (pipe == arg.npos)
throw std::invalid_argument(
"Addresses and whitelisted pubkeys must be pipe-delimited key:value pairs");

// TODO: this was from pre-refactor:
// TODO: add pubkey to whitelist
auto key = arg.substr(0, pipe), values = arg.substr(pipe + 1, arg.npos);

if (not starts_with(key, "tcp://"))
key = "tcp://" + key;

auto pubkeys = split(values, ",", true);
m_rpcEncryptedAddresses[oxenmq::address{key}].insert(pubkeys.begin(), pubkeys.end());
},
Comment{
"Specify encrypted listener addresses and comma-delimited public keys to be accepted ",
"by exposed encrypted listener. Keys must be attached to a listener address.",
"",
"Example: ",
" bind_curve=tcp://0.0.0.0:1234|pubkeyA,pubkeyB",
" bind_curve=tcp://0.0.0.0:5678|pubkeyC,pubkeyD",
"",
"In the given example above, port 1234 is only accessible by whitelisted ",
"pubkeys A and B, while 5678 is accessible by C and D.",
"",
"Note: tcp addresses passed without \"tcp://\" prefix will have it prepended"});

conf.defineOption<std::string>("api", "authkey", Deprecated);
}

void
Expand Down
3 changes: 3 additions & 0 deletions llarp/config/config.hpp
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#pragma once
#include "ini.hpp"
#include "definition.hpp"
#include "oxenmq/auth.h"

#include <chrono>

Expand All @@ -26,6 +27,7 @@
#include <utility>
#include <vector>
#include <unordered_set>
#include <unordered_map>

#include <oxenmq/address.h>

Expand Down Expand Up @@ -190,6 +192,7 @@ namespace llarp
{
bool m_enableRPCServer = false;
std::vector<oxenmq::address> m_rpcBindAddresses;
std::unordered_map<oxenmq::address, std::unordered_set<std::string>> m_rpcEncryptedAddresses;

void
defineConfigOptions(ConfigDefinition& conf, const ConfigGenParameters& params);
Expand Down
18 changes: 16 additions & 2 deletions llarp/rpc/rpc_server.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@
#include <llarp/service/name.hpp>
#include <llarp/router/abstractrouter.hpp>
#include <llarp/dns/dns.hpp>
#include <stdexcept>
#include "llarp/util/logging.hpp"
#include "oxenmq/auth.h"
#include <oxenmq/fmt.h>

namespace
Expand All @@ -31,6 +34,17 @@ namespace llarp::rpc
LogInfo("Bound RPC server to ", addr.full_address());
}

for (const auto& [address, allowed_keys] : r->GetConfig()->api.m_rpcEncryptedAddresses)
{
m_LMQ->listen_curve(address.zmq_address(), [allowed_keys = allowed_keys](auto pk, ...) {
if (std::find(allowed_keys.begin(), allowed_keys.end(), pk) != allowed_keys.end())
return oxenmq::AuthLevel::admin;

LogInfo("Curve pubkey not found in whitelist");
return oxenmq::AuthLevel::denied;
});
}

this->AddRPCCategories();
}

Expand Down Expand Up @@ -117,7 +131,7 @@ namespace llarp::rpc
{
return r->exitContext().GetExitEndpoint(name);
}

return r->hiddenServiceContext().GetEndpointByName(name);
}

Expand Down Expand Up @@ -410,7 +424,7 @@ namespace llarp::rpc
{
if (itr->is_array())
{
for (auto & kill_itr : *itr)
for (auto& kill_itr : *itr)
{
if (kill_itr.is_string())
kills.emplace(kill_itr.get<std::string>());
Expand Down

0 comments on commit d4b47db

Please sign in to comment.