diff --git a/docs/COMMAND_LINE.MD b/docs/COMMAND_LINE.MD index 3c7c2134..f3035eb6 100644 --- a/docs/COMMAND_LINE.MD +++ b/docs/COMMAND_LINE.MD @@ -31,6 +31,8 @@ --upnp-stratum Port forward Stratum port (it's not forwarded by default) --merge-mine IP:port and wallet address for another blockchain to merge mine with --version Print p2pool's version and build details +--tls-cert file Load TLS certificate chain from "file" in the PEM format +--tls-cert-key file Load TLS certificate private key from "file" in the PEM format ``` ### Example command line @@ -68,3 +70,13 @@ Merge mining will be available in P2Pool after the fork on October 12th, 2024. V p2pool.exe --wallet YOUR_MONERO_WALLET_ADDRESS --merge-mine tari://IP:port TARI_WALLET_ADDRESS ``` Merge mining is available for testing in Tari's [v1.0.0-pre.14 release](https://github.com/tari-project/tari/releases/tag/v1.0.0-pre.14) (Esmeralda testnet). + +### TLS + +All `--tls...` parameters are optional. If they are not provided, P2Pool will generate a self-signed certificate upon startup. + +If you want to use your own certificate, please refer to your certificate provider's documentation (or OpenSSL documentation) on how to generate the appropriate PEM files. + +Note that you need to use certificate files and `--tls...` parameters to be able to use certificate pinning in XMRig miners that connect to your P2Pool instance. + +`--tls-cert` and `--tls-cert-key` parameters must always be used together. diff --git a/src/main.cpp b/src/main.cpp index 8dd463ba..4bf34856 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -64,6 +64,10 @@ void p2pool_usage() #endif "--merge-mine IP:port and wallet address for another blockchain to merge mine with\n" "--version Print p2pool's version and build details\n" +#ifdef WITH_TLS + "--tls-cert file Load TLS certificate chain from \"file\" in the PEM format\n" + "--tls-cert-key file Load TLS certificate private key from \"file\" in the PEM format\n" +#endif "--help Show this help message\n\n" "Example command line:\n\n" "%s --host 127.0.0.1 --rpc-port 18081 --zmq-port 18083 --wallet YOUR_WALLET_ADDRESS --stratum 0.0.0.0:%d --p2p 0.0.0.0:%d\n\n", diff --git a/src/p2pool.cpp b/src/p2pool.cpp index 9f9b356d..966eb37f 100644 --- a/src/p2pool.cpp +++ b/src/p2pool.cpp @@ -1903,6 +1903,15 @@ int p2pool::run() return 1; } +#ifdef WITH_TLS + if (!m_params->m_tlsCert.empty() && !m_params->m_tlsCertKey.empty()) { + if (!ServerTls::load_from_files(m_params->m_tlsCert.c_str(), m_params->m_tlsCertKey.c_str())) { + LOGERR(1, "Failed to load TLS files"); + return 1; + } + } +#endif + // Init default loop user data before running it uv_loop_t* loop = uv_default_loop_checked(); loop->data = nullptr; diff --git a/src/params.cpp b/src/params.cpp index 9789b838..3abeafe6 100644 --- a/src/params.cpp +++ b/src/params.cpp @@ -195,6 +195,18 @@ Params::Params(int argc, char* const argv[]) ok = true; } +#ifdef WITH_TLS + if ((strcmp(argv[i], "--tls-cert") == 0) && (i + 1 < argc)) { + m_tlsCert = argv[++i]; + ok = true; + } + + if ((strcmp(argv[i], "--tls-cert-key") == 0) && (i + 1 < argc)) { + m_tlsCertKey = argv[++i]; + ok = true; + } +#endif + if (!ok) { fprintf(stderr, "Unknown command line parameter %s\n\n", argv[i]); p2pool_usage(); @@ -240,6 +252,13 @@ bool Params::valid() const return false; } +#ifdef WITH_TLS + if (m_tlsCert.empty() != m_tlsCertKey.empty()) { + LOGERR(1, "Both --tls-cert and --tls-cert-key files must be specified"); + return false; + } +#endif + return true; } diff --git a/src/params.h b/src/params.h index 2d6827b9..95f7c160 100644 --- a/src/params.h +++ b/src/params.h @@ -92,6 +92,10 @@ struct Params bool m_upnp = false; bool m_upnpStratum = false; #endif +#ifdef WITH_TLS + std::string m_tlsCert; + std::string m_tlsCertKey; +#endif }; } // namespace p2pool diff --git a/src/tls.cpp b/src/tls.cpp index cc2a4112..aa9e5f29 100644 --- a/src/tls.cpp +++ b/src/tls.cpp @@ -40,6 +40,12 @@ static bssl::UniquePtr init_evp_pkey() return nullptr; } + //FILE* fp; + //if (fopen_s(&fp, "cert_key.pem", "wb") == 0) { + // PEM_write_PrivateKey(fp, evp_pkey.get(), nullptr, nullptr, 0, nullptr, nullptr); + // fclose(fp); + //} + return evp_pkey; } @@ -100,6 +106,12 @@ static bssl::UniquePtr init_cert() return nullptr; } + //FILE* fp; + //if (fopen_s(&fp, "cert.pem", "wb") == 0) { + // PEM_write_X509(fp, x509.get()); + // fclose(fp); + //} + return x509; } @@ -130,6 +142,43 @@ static bssl::UniquePtr init_ctx() static bssl::UniquePtr s_ctx = init_ctx(); +bool ServerTls::load_from_files(const char* cert, const char* cert_key) +{ + if (!cert) { + LOGERR(0, "No cert file specified"); + return false; + } + + if (!cert_key) { + LOGERR(0, "No cert_key file specified"); + return false; + } + + bssl::UniquePtr ctx(SSL_CTX_new(TLS_method())); + + if (!ctx.get()) { + LOGERR(0, "Failed to create SSL context"); + return false; + } + + if (SSL_CTX_use_certificate_chain_file(ctx.get(), cert) <= 0) { + LOGERR(0, "Failed to load " << cert); + return false; + } + + if (SSL_CTX_use_PrivateKey_file(ctx.get(), cert_key, SSL_FILETYPE_PEM) <= 0) { + LOGERR(0, "Failed to load " << cert_key); + return false; + } + + SSL_CTX_set_options(ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE); + + LOGINFO(1, log::LightCyan() << "Loaded " << cert << ", " << cert_key); + + s_ctx.reset(ctx.release()); + return true; +} + void ServerTls::reset() { m_ssl.reset(nullptr); diff --git a/src/tls.h b/src/tls.h index 56160b10..e4387aca 100644 --- a/src/tls.h +++ b/src/tls.h @@ -37,6 +37,8 @@ class ServerTls public: FORCEINLINE ServerTls() { reset(); } + [[nodiscard]] static bool load_from_files(const char* cert, const char* cert_key); + void reset(); [[nodiscard]] bool init();