Add Support for Encrypted/Authenticated Listeners

llarp/config/config.cpp

@@ -2,6 +2,8 @@
 #include "definition.hpp"
 #include "ini.hpp"
 
+#include <oxenmq/address.h>
+#include <oxenmq/oxenmq.h>
 #include <llarp/constants/files.hpp>
 #include <llarp/constants/platform.hpp>
 #include <llarp/constants/version.hpp>
@@ -1152,10 +1154,46 @@ namespace llarp
             "Recommend localhost-only for security purposes.",
         });
 
-    conf.defineOption<std::string>("api", "authkey", Deprecated);
+    conf.defineOption<std::string>(
+        "api",
+        "bind_curve",
+        Default{""},
+        MultiValue,
+        [this](std::string arg) mutable {
+          if (arg.empty())
+            return;
+
+          auto pipe = arg.find("|");
+
+          if (pipe == arg.npos)
+            throw std::invalid_argument(
+                "Addresses and whitelisted pubkeys must be pipe-delimited key:value pairs");
+
+          auto key = arg.substr(0, pipe), values = arg.substr(pipe + 1, arg.npos);
 
-    // TODO: this was from pre-refactor:
-    // TODO: add pubkey to whitelist
+          if (not starts_with(key, "tcp://"))
+            key = "tcp://" + key;
+
+          auto pubkeys = split(values, ",", true);
+          oxenmq::address key_addr{key};
+
+          for (auto& pk : pubkeys)
+            m_rpcEncryptedAddresses[key_addr].emplace(pk);
+        },
+        Comment{
+            "Specify encrypted listener addresses and comma-delimited public keys to be accepted ",
+            "by exposed encrypted listener. Keys must be attached to a listener address.",
+            "",
+            "Example: ",
+            "   bind_curve=tcp://0.0.0.0:1234|pubkeyA,pubkeyB",
+            "   bind_curve=tcp://0.0.0.0:5678|pubkeyC,pubkeyD",
+            "",
+            "In the given example above, port 1234 is only accessible by whitelisted ",
+            "pubkeys A and B, while 5678 is accessible by C and D.",
+            "",
+            "Note: tcp addresses passed without \"tcp://\" prefix will have it prepended"});
+
+    conf.defineOption<std::string>("api", "authkey", Deprecated);
   }
 
   void

llarp/config/config.hpp

@@ -2,8 +2,8 @@
 #include "ini.hpp"
 #include "definition.hpp"
 
+#include <oxenmq/auth.h>
 #include <chrono>
-
 #include <llarp/bootstrap.hpp>
 #include <llarp/crypto/types.hpp>
 #include <llarp/router_contact.hpp>
@@ -26,6 +26,7 @@
 #include <utility>
 #include <vector>
 #include <unordered_set>
+#include <unordered_map>
 
 #include <oxenmq/address.h>
 
@@ -190,6 +191,7 @@ namespace llarp
   {
     bool m_enableRPCServer = false;
     std::vector<oxenmq::address> m_rpcBindAddresses;
+    std::unordered_map<oxenmq::address, std::unordered_set<std::string>> m_rpcEncryptedAddresses;
 
     void
     defineConfigOptions(ConfigDefinition& conf, const ConfigGenParameters& params);

llarp/rpc/rpc_server.cpp

@@ -1,5 +1,7 @@
 #include "rpc_server.hpp"
 #include "llarp/rpc/rpc_request_definitions.hpp"
+#include "llarp/util/logging.hpp"
+#include "oxen/log.hpp"
 #include "rpc_request.hpp"
 #include "llarp/service/address.hpp"
 #include <cmath>
@@ -106,7 +108,22 @@ namespace llarp::rpc
     for (const auto& addr : r.GetConfig()->api.m_rpcBindAddresses)
     {
       m_LMQ->listen_plain(addr.zmq_address());
-      LogInfo("Bound RPC server to ", addr.full_address());
+      log::info(logcat, "Bound RPC server to {}", addr.full_address());
+    }
+
+    for (const auto& [address, allowed_keys] : r.GetConfig()->api.m_rpcEncryptedAddresses)
+    {
+      m_LMQ->listen_curve(
+          address.zmq_address(), [allowed_keys = allowed_keys](auto addr, auto pk, ...) {
+            if (allowed_keys.count(std::string{pk}))
+              return oxenmq::AuthLevel::admin;
+
+            log::warning(
+                logcat,
+                "Curve pubkey not in whitelist, denying incoming RPC connection from {}",
+                addr);
+            return oxenmq::AuthLevel::denied;
+          });
     }
 
     AddCategories();