Encrypted pubkey for listening ports:

- created option to add encrypted listeners with paired pubkeys in unordered_map, plus access verification - pubkeys stored in unordered set, changed lambda for listen_curve - pubkeys are comma-delimited and paired with bind address in config file
2023-12-14 06:53:00 +01:00 · 2023-01-30 07:43:58 -08:00 · 2023-01-30 07:43:58 -08:00 · 802ad46df1
parent 7fb36782dc
commit 802ad46df1
2 changed files with 42 additions and 4 deletions
--- a/llarp/config/config.cpp
+++ b/llarp/config/config.cpp
@ -2,6 +2,7 @@
 #include "definition.hpp"
 #include "ini.hpp"

+#include <oxenmq/address.h>
 #include <llarp/constants/files.hpp>
 #include <llarp/constants/platform.hpp>
 #include <llarp/constants/version.hpp>
@ -1152,10 +1153,45 @@ namespace llarp
            "Recommend localhost-only for security purposes.",
        });

-    conf.defineOption<std::string>("api", "authkey", Deprecated);
+    conf.defineOption<std::string>(
+        "api",
+        "bind_curve",
+        Default{""},
+        MultiValue,
+        [this](std::string arg) mutable {
+          if (arg.empty())
+            return;

-    // TODO: this was from pre-refactor:
-    // TODO: add pubkey to whitelist
+          auto pipe = arg.find("|");
+
+          if (pipe == arg.npos)
+            throw std::invalid_argument(
+                "Addresses and whitelisted pubkeys must be pipe-delimited key:value pairs");
+
+          auto key = arg.substr(0, pipe), values = arg.substr(pipe + 1, arg.npos);
+
+          if (not starts_with(key, "tcp://"))
+            key = "tcp://" + key;
+
+          auto pubkeys = split(values, ",", true);
+
+          for (auto& pk : pubkeys)
+            m_rpcEncryptedAddresses[oxenmq::address{key}].emplace(pk);
+        },
+        Comment{
+            "Specify encrypted listener addresses and comma-delimited public keys to be accepted ",
+            "by exposed encrypted listener. Keys must be attached to a listener address.",
+            "",
+            "Example: ",
+            "   bind_curve=tcp://0.0.0.0:1234|pubkeyA,pubkeyB",
+            "   bind_curve=tcp://0.0.0.0:5678|pubkeyC,pubkeyD",
+            "",
+            "In the given example above, port 1234 is only accessible by whitelisted ",
+            "pubkeys A and B, while 5678 is accessible by C and D.",
+            "",
+            "Note: tcp addresses passed without \"tcp://\" prefix will have it prepended"});
+
+    conf.defineOption<std::string>("api", "authkey", Deprecated);
  }

  void
--- a/llarp/config/config.hpp
+++ b/llarp/config/config.hpp
@ -2,8 +2,8 @@
 #include "ini.hpp"
 #include "definition.hpp"

+#include <oxenmq/auth.h>
 #include <chrono>
-
 #include <llarp/bootstrap.hpp>
 #include <llarp/crypto/types.hpp>
 #include <llarp/router_contact.hpp>
@ -26,6 +26,7 @@
 #include <utility>
 #include <vector>
 #include <unordered_set>
+#include <unordered_map>

 #include <oxenmq/address.h>

@ -190,6 +191,7 @@ namespace llarp
  {
    bool m_enableRPCServer = false;
    std::vector<oxenmq::address> m_rpcBindAddresses;
+    std::unordered_map<oxenmq::address, std::unordered_set<std::string>> m_rpcEncryptedAddresses;

    void
    defineConfigOptions(ConfigDefinition& conf, const ConfigGenParameters& params);