Encrypted pubkey for listening ports:

- created option to add encrypted listeners with paired pubkeys in unordered_map, plus access verification - pubkeys stored in unordered set, changed lambda for listen_curve - pubkeys are comma-delimited and paired with bind address in config file
oxen-io · Feb 2, 2023 · 374a197 · 374a197
1 parent 7fb3678
commit 374a197
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 3 deletions.
diff --git a/llarp/config/config.cpp b/llarp/config/config.cpp
@@ -1,6 +1,7 @@
 #include "config.hpp"
 #include "definition.hpp"
 #include "ini.hpp"
+#include "oxenmq/address.h"
 
 #include <llarp/constants/files.hpp>
 #include <llarp/constants/platform.hpp>
@@ -1152,10 +1153,45 @@ namespace llarp
             "Recommend localhost-only for security purposes.",
         });
 
-    conf.defineOption<std::string>("api", "authkey", Deprecated);
+    conf.defineOption<std::string>(
+        "api",
+        "bind_curve",
+        Default{""},
+        MultiValue,
+        [this](std::string arg) mutable {
+          if (arg.empty())
+            return;
+
+          auto pipe = arg.find("|");
+
+          if (pipe == arg.npos)
+            throw std::invalid_argument(
+                "Addresses and whitelisted pubkeys must be pipe-delimited key:value pairs");
+
+          auto key = arg.substr(0, pipe), values = arg.substr(pipe + 1, arg.npos);
 
-    // TODO: this was from pre-refactor:
-    // TODO: add pubkey to whitelist
+          if (not starts_with(key, "tcp://"))
+            key = "tcp://" + key;
+
+          auto pubkeys = split(values, ",", true);
+
+          for (auto& pk : pubkeys)
+            m_rpcEncryptedAddresses[oxenmq::address{key}].emplace(pk);
+        },
+        Comment{
+            "Specify encrypted listener addresses and comma-delimited public keys to be accepted ",
+            "by exposed encrypted listener. Keys must be attached to a listener address.",
+            "",
+            "Example: ",
+            "   bind_curve=tcp://0.0.0.0:1234|pubkeyA,pubkeyB",
+            "   bind_curve=tcp://0.0.0.0:5678|pubkeyC,pubkeyD",
+            "",
+            "In the given example above, port 1234 is only accessible by whitelisted ",
+            "pubkeys A and B, while 5678 is accessible by C and D.",
+            "",
+            "Note: tcp addresses passed without \"tcp://\" prefix will have it prepended"});
+
+    conf.defineOption<std::string>("api", "authkey", Deprecated);
   }
 
   void

diff --git a/llarp/config/config.hpp b/llarp/config/config.hpp
@@ -1,6 +1,7 @@
 #pragma once
 #include "ini.hpp"
 #include "definition.hpp"
+#include "oxenmq/auth.h"
 
 #include <chrono>
 
@@ -26,6 +27,7 @@
 #include <utility>
 #include <vector>
 #include <unordered_set>
+#include <unordered_map>
 
 #include <oxenmq/address.h>
 
@@ -190,6 +192,7 @@ namespace llarp
   {
     bool m_enableRPCServer = false;
     std::vector<oxenmq::address> m_rpcBindAddresses;
+    std::unordered_map<oxenmq::address, std::unordered_set<std::string>> m_rpcEncryptedAddresses;
 
     void
     defineConfigOptions(ConfigDefinition& conf, const ConfigGenParameters& params);