Merge remote-tracking branch 'origin/tls'

.github/workflows/c-cpp.yml

@@ -423,11 +423,12 @@ jobs:
     strategy:
       matrix:
         config:
-          - {vs: Visual Studio 17 2022, os: 2022, vspath: "C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise", rx: "ON", upnp: "ON", grpc: "ON"}
-          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "ON", upnp: "ON", grpc: "ON"}
-          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "ON", upnp: "ON", grpc: "OFF"}
-          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "OFF", upnp: "ON", grpc: "OFF"}
-          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "OFF", upnp: "OFF", grpc: "OFF"}
+          - {vs: Visual Studio 17 2022, os: 2022, vspath: "C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise", rx: "ON", upnp: "ON", grpc: "ON", tls: "ON"}
+          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "ON", upnp: "ON", grpc: "ON", tls: "ON"}
+          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "ON", upnp: "ON", grpc: "OFF", tls: "ON"}
+          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "OFF", upnp: "ON", grpc: "OFF", tls: "ON"}
+          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "OFF", upnp: "OFF", grpc: "OFF", tls: "ON"}
+          - {vs: Visual Studio 16 2019, os: 2019, vspath: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise", rx: "OFF", upnp: "OFF", grpc: "OFF", tls: "OFF"}
 
     steps:
     - name: Checkout repository
@@ -442,7 +443,7 @@ jobs:
       run: |
         mkdir build
         cd build
-        cmake .. -G "${{ matrix.config.vs }}" -DCMAKE_SYSTEM_VERSION="10.0" -DWITH_RANDOMX=${{ matrix.config.rx }} -DWITH_UPNP=${{ matrix.config.upnp }} -DWITH_GRPC=${{ matrix.config.grpc }}
+        cmake .. -G "${{ matrix.config.vs }}" -DCMAKE_SYSTEM_VERSION="10.0" -DWITH_RANDOMX=${{ matrix.config.rx }} -DWITH_UPNP=${{ matrix.config.upnp }} -DWITH_GRPC=${{ matrix.config.grpc }} -DWITH_TLS=${{ matrix.config.tls }}
         & "${{ matrix.config.vspath }}\\MSBuild\\Current\\Bin\\amd64\\msbuild" -v:m /m /p:Configuration=Release p2pool.vcxproj
 
     - name: Check Windows 7 compatibility
@@ -480,7 +481,7 @@ jobs:
     - name: Archive binary
       uses: actions/upload-artifact@v4
       with:
-        name: p2pool-vs-${{ matrix.config.os }}-randomx-${{ matrix.config.rx }}-upnp-${{ matrix.config.upnp }}-grpc-${{ matrix.config.grpc }}.exe
+        name: p2pool-vs-${{ matrix.config.os }}-randomx-${{ matrix.config.rx }}-upnp-${{ matrix.config.upnp }}-grpc-${{ matrix.config.grpc }}-tls-${{ matrix.config.tls }}.exe
         path: build/Release/p2pool.exe
 
   build-macos:

CMakeLists.txt

@@ -17,6 +17,7 @@ option(WITH_RANDOMX "Include the RandomX library in the build. If this is turned
 option(WITH_LTO "Use link-time compiler optimization (if linking fails for you, run cmake with -DWITH_LTO=OFF)" ON)
 option(WITH_UPNP "Include UPnP support. If this is turned off, p2pool will not be able to configure port forwarding on UPnP-enabled routers." ON)
 option(WITH_GRPC "Include gRPC support. If this is turned off, p2pool will not be able to merge mine with Tari." ON)
+option(WITH_TLS "Include TLS support. If this is turned off, p2pool will not support Stratum TLS connections." ON)
 
 option(DEV_TEST_SYNC "[Developer only] Sync test, stop p2pool after sync is complete" OFF)
 option(DEV_WITH_TSAN "[Developer only] Compile with thread sanitizer" OFF)
@@ -37,6 +38,9 @@ if (WITH_GRPC)
 	include(cmake/grpc.cmake)
 
 	add_subdirectory(external/src/Tari)
+elseif (WITH_TLS)
+	add_subdirectory(cmake/ssl)
+	include_directories(external/src/grpc/third_party/boringssl-with-bazel/src/include)
 endif()
 
 if (WITH_RANDOMX)
@@ -166,6 +170,13 @@ if (WITH_GRPC)
 	set(SOURCES ${SOURCES} src/merge_mining_client_tari.cpp)
 endif()
 
+if (WITH_TLS)
+	add_definitions(-DWITH_TLS)
+
+	set(HEADERS ${HEADERS} src/tls.h)
+	set(SOURCES ${SOURCES} src/tls.cpp)
+endif()
+
 source_group(TREE "${CMAKE_CURRENT_SOURCE_DIR}" PREFIX "Header Files" FILES ${HEADERS})
 source_group(TREE "${CMAKE_CURRENT_SOURCE_DIR}" PREFIX "Source Files" FILES ${SOURCES})
 
@@ -404,6 +415,8 @@ if (STATIC_BINARY OR STATIC_LIBS)
 
 	if (WITH_GRPC)
 		set(STATIC_LIBS ${STATIC_LIBS} Tari_gRPC grpc grpc++ libprotobuf)
+	elseif(WITH_TLS)
+		set(STATIC_LIBS ${STATIC_LIBS} ssl crypto)
 	endif()
 
 	target_link_libraries(${CMAKE_PROJECT_NAME}
@@ -415,6 +428,8 @@ if (STATIC_BINARY OR STATIC_LIBS)
 else()
 	if (WITH_GRPC)
 		set(LIBS ${LIBS} Tari_gRPC grpc grpc++ libprotobuf)
+	elseif(WITH_TLS)
+		set(LIBS ${LIBS} ssl crypto)
 	endif()
 
 	target_link_libraries(${CMAKE_PROJECT_NAME} debug ${ZMQ_LIBRARY_DEBUG} debug ${UV_LIBRARY_DEBUG} debug ${CURL_LIBRARY_DEBUG} optimized ${ZMQ_LIBRARY} optimized ${UV_LIBRARY} optimized ${CURL_LIBRARY} ${LIBS})

cmake/grpc.cmake

@@ -35,5 +35,6 @@ add_definitions(-DPROTOBUF_ENABLE_DEBUG_LOGGING_MAY_LEAK_PII=0)
 add_subdirectory(external/src/grpc)
 
 include_directories(external/src/grpc/third_party/abseil-cpp)
+include_directories(external/src/grpc/third_party/boringssl-with-bazel/src/include)
 include_directories(external/src/grpc/third_party/protobuf/src)
 include_directories(external/src/grpc/include)

cmake/ssl/CMakeLists.txt

@@ -0,0 +1,31 @@
+cmake_minimum_required(VERSION 3.12)
+
+project(P2Pool_SSL LANGUAGES C CXX)
+
+if (CMAKE_CXX_COMPILER_ID MATCHES MSVC)
+	set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} /W0 /Zi /Od /Ob0 /MP /MTd")
+	set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} /W0 /Zi /Od /Ob0 /MP /MTd")
+	set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} /W0 /O1 /Ob2 /Oi /Os /Oy /MP /MT")
+	set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /W0 /O1 /Ob2 /Oi /Os /Oy /MP /MT")
+	set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO} /W0 /Ob1 /Ot /Zi /MP /MT")
+	set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO} /W0 /Ob1 /Ot /Zi /MP /MT")
+else()
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Os -w")
+	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Os -w")
+endif()
+
+if(CMAKE_GENERATOR MATCHES "Visual Studio")
+	if(CMAKE_VERSION VERSION_LESS 3.13)
+		message(WARNING "Disabling SSL assembly support because CMake version ${CMAKE_VERSION} is too old (less than 3.13)")
+		set(OPENSSL_NO_ASM ON)
+	else()
+		include(CheckLanguage)
+		check_language(ASM_NASM)
+		if(NOT CMAKE_ASM_NASM_COMPILER)
+			message(WARNING "Disabling SSL assembly support because NASM could not be found")
+			set(OPENSSL_NO_ASM ON)
+		endif()
+	endif()
+endif()
+
+add_subdirectory(../../external/src/grpc/third_party/boringssl-with-bazel BoringSSL)

docs/COMMAND_LINE.MD

@@ -31,6 +31,8 @@
 --upnp-stratum       Port forward Stratum port (it's not forwarded by default)
 --merge-mine         IP:port and wallet address for another blockchain to merge mine with
 --version            Print p2pool's version and build details
+--tls-cert file      Load TLS certificate chain from "file" in the PEM format
+--tls-cert-key file  Load TLS certificate private key from "file" in the PEM format
 ```
 
 ### Example command line
@@ -68,3 +70,13 @@ Merge mining will be available in P2Pool after the fork on October 12th, 2024. V
   p2pool.exe --wallet YOUR_MONERO_WALLET_ADDRESS --merge-mine tari://IP:port TARI_WALLET_ADDRESS
   ```
   Merge mining is available for testing in Tari's [v1.0.0-pre.14 release](https://github.com/tari-project/tari/releases/tag/v1.0.0-pre.14) (Esmeralda testnet).
+
+### TLS
+
+All `--tls...` parameters are optional. If they are not provided, P2Pool will generate a self-signed certificate upon startup.
+
+If you want to use your own certificate, please refer to your certificate provider's documentation (or OpenSSL documentation) on how to generate the appropriate PEM files.
+
+Note that you need to use certificate files and `--tls...` parameters to be able to use certificate pinning in XMRig miners that connect to your P2Pool instance.
+
+`--tls-cert` and `--tls-cert-key` parameters must always be used together.

src/main.cpp

@@ -64,6 +64,10 @@ void p2pool_usage()
 #endif
 		"--merge-mine         IP:port and wallet address for another blockchain to merge mine with\n"
 		"--version            Print p2pool's version and build details\n"
+#ifdef WITH_TLS
+		"--tls-cert file      Load TLS certificate chain from \"file\" in the PEM format\n"
+		"--tls-cert-key file  Load TLS certificate private key from \"file\" in the PEM format\n"
+#endif
 		"--help               Show this help message\n\n"
 		"Example command line:\n\n"
 		"%s --host 127.0.0.1 --rpc-port 18081 --zmq-port 18083 --wallet YOUR_WALLET_ADDRESS --stratum 0.0.0.0:%d --p2p 0.0.0.0:%d\n\n",

src/p2pool.cpp

@@ -1903,6 +1903,15 @@ int p2pool::run()
 		return 1;
 	}
 
+#ifdef WITH_TLS
+	if (!m_params->m_tlsCert.empty() && !m_params->m_tlsCertKey.empty()) {
+		if (!ServerTls::load_from_files(m_params->m_tlsCert.c_str(), m_params->m_tlsCertKey.c_str())) {
+			LOGERR(1, "Failed to load TLS files");
+			return 1;
+		}
+	}
+#endif
+
 	// Init default loop user data before running it
 	uv_loop_t* loop = uv_default_loop_checked();
 	loop->data = nullptr;

src/params.cpp

@@ -195,6 +195,18 @@ Params::Params(int argc, char* const argv[])
 			ok = true;
 		}
 
+#ifdef WITH_TLS
+		if ((strcmp(argv[i], "--tls-cert") == 0) && (i + 1 < argc)) {
+			m_tlsCert = argv[++i];
+			ok = true;
+		}
+
+		if ((strcmp(argv[i], "--tls-cert-key") == 0) && (i + 1 < argc)) {
+			m_tlsCertKey = argv[++i];
+			ok = true;
+		}
+#endif
+
 		if (!ok) {
 			fprintf(stderr, "Unknown command line parameter %s\n\n", argv[i]);
 			p2pool_usage();
@@ -240,6 +252,13 @@ bool Params::valid() const
 		return false;
 	}
 
+#ifdef WITH_TLS
+	if (m_tlsCert.empty() != m_tlsCertKey.empty()) {
+		LOGERR(1, "Both --tls-cert and --tls-cert-key files must be specified");
+		return false;
+	}
+#endif
+
 	return true;
 }
 

src/params.h

@@ -92,6 +92,10 @@ struct Params
 	bool m_upnp = false;
 	bool m_upnpStratum = false;
 #endif
+#ifdef WITH_TLS
+	std::string m_tlsCert;
+	std::string m_tlsCertKey;
+#endif
 };
 
 } // namespace p2pool