TLS: added command line to load certificate files

docs/COMMAND_LINE.MD

@@ -31,6 +31,8 @@
 --upnp-stratum       Port forward Stratum port (it's not forwarded by default)
 --merge-mine         IP:port and wallet address for another blockchain to merge mine with
 --version            Print p2pool's version and build details
+--tls-cert file      Load TLS certificate chain from "file" in the PEM format
+--tls-cert-key file  Load TLS certificate private key from "file" in the PEM format
 ```
 
 ### Example command line
@@ -68,3 +70,13 @@ Merge mining will be available in P2Pool after the fork on October 12th, 2024. V
   p2pool.exe --wallet YOUR_MONERO_WALLET_ADDRESS --merge-mine tari://IP:port TARI_WALLET_ADDRESS
   ```
   Merge mining is available for testing in Tari's [v1.0.0-pre.14 release](https://github.com/tari-project/tari/releases/tag/v1.0.0-pre.14) (Esmeralda testnet).
+
+### TLS
+
+All `--tls...` parameters are optional. If they are not provided, P2Pool will generate a self-signed certificate upon startup.
+
+If you want to use your own certificate, please refer to your certificate provider's documentation (or OpenSSL documentation) on how to generate the appropriate PEM files.
+
+Note that you need to use certificate files and `--tls...` parameters to be able to use certificate pinning in XMRig miners that connect to your P2Pool instance.
+
+`--tls-cert` and `--tls-cert-key` parameters must always be used together.

src/main.cpp

@@ -64,6 +64,10 @@ void p2pool_usage()
 #endif
 		"--merge-mine         IP:port and wallet address for another blockchain to merge mine with\n"
 		"--version            Print p2pool's version and build details\n"
+#ifdef WITH_TLS
+		"--tls-cert file      Load TLS certificate chain from \"file\" in the PEM format\n"
+		"--tls-cert-key file  Load TLS certificate private key from \"file\" in the PEM format\n"
+#endif
 		"--help               Show this help message\n\n"
 		"Example command line:\n\n"
 		"%s --host 127.0.0.1 --rpc-port 18081 --zmq-port 18083 --wallet YOUR_WALLET_ADDRESS --stratum 0.0.0.0:%d --p2p 0.0.0.0:%d\n\n",

src/p2pool.cpp

@@ -1903,6 +1903,15 @@ int p2pool::run()
 		return 1;
 	}
 
+#ifdef WITH_TLS
+	if (!m_params->m_tlsCert.empty() && !m_params->m_tlsCertKey.empty()) {
+		if (!ServerTls::load_from_files(m_params->m_tlsCert.c_str(), m_params->m_tlsCertKey.c_str())) {
+			LOGERR(1, "Failed to load TLS files");
+			return 1;
+		}
+	}
+#endif
+
 	// Init default loop user data before running it
 	uv_loop_t* loop = uv_default_loop_checked();
 	loop->data = nullptr;

src/params.cpp

@@ -195,6 +195,18 @@ Params::Params(int argc, char* const argv[])
 			ok = true;
 		}
 
+#ifdef WITH_TLS
+		if ((strcmp(argv[i], "--tls-cert") == 0) && (i + 1 < argc)) {
+			m_tlsCert = argv[++i];
+			ok = true;
+		}
+
+		if ((strcmp(argv[i], "--tls-cert-key") == 0) && (i + 1 < argc)) {
+			m_tlsCertKey = argv[++i];
+			ok = true;
+		}
+#endif
+
 		if (!ok) {
 			fprintf(stderr, "Unknown command line parameter %s\n\n", argv[i]);
 			p2pool_usage();
@@ -240,6 +252,13 @@ bool Params::valid() const
 		return false;
 	}
 
+#ifdef WITH_TLS
+	if (m_tlsCert.empty() != m_tlsCertKey.empty()) {
+		LOGERR(1, "Both --tls-cert and --tls-cert-key files must be specified");
+		return false;
+	}
+#endif
+
 	return true;
 }
 

src/params.h

@@ -92,6 +92,10 @@ struct Params
 	bool m_upnp = false;
 	bool m_upnpStratum = false;
 #endif
+#ifdef WITH_TLS
+	std::string m_tlsCert;
+	std::string m_tlsCertKey;
+#endif
 };
 
 } // namespace p2pool

src/tls.cpp

@@ -40,6 +40,12 @@ static bssl::UniquePtr<EVP_PKEY> init_evp_pkey()
 		return nullptr;
 	}
 
+	//FILE* fp;
+	//if (fopen_s(&fp, "cert_key.pem", "wb") == 0) {
+	//	PEM_write_PrivateKey(fp, evp_pkey.get(), nullptr, nullptr, 0, nullptr, nullptr);
+	//	fclose(fp);
+	//}
+
 	return evp_pkey;
 }
 
@@ -100,6 +106,12 @@ static bssl::UniquePtr<X509> init_cert()
 		return nullptr;
 	}
 
+	//FILE* fp;
+	//if (fopen_s(&fp, "cert.pem", "wb") == 0) {
+	//	PEM_write_X509(fp, x509.get());
+	//	fclose(fp);
+	//}
+
 	return x509;
 }
 
@@ -130,6 +142,43 @@ static bssl::UniquePtr<SSL_CTX> init_ctx()
 
 static bssl::UniquePtr<SSL_CTX> s_ctx = init_ctx();
 
+bool ServerTls::load_from_files(const char* cert, const char* cert_key)
+{
+	if (!cert) {
+		LOGERR(0, "No cert file specified");
+		return false;
+	}
+
+	if (!cert_key) {
+		LOGERR(0, "No cert_key file specified");
+		return false;
+	}
+
+	bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+
+	if (!ctx.get()) {
+		LOGERR(0, "Failed to create SSL context");
+		return false;
+	}
+
+	if (SSL_CTX_use_certificate_chain_file(ctx.get(), cert) <= 0) {
+		LOGERR(0, "Failed to load " << cert);
+		return false;
+	}
+
+	if (SSL_CTX_use_PrivateKey_file(ctx.get(), cert_key, SSL_FILETYPE_PEM) <= 0) {
+		LOGERR(0, "Failed to load " << cert_key);
+		return false;
+	}
+
+	SSL_CTX_set_options(ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
+
+	LOGINFO(1, log::LightCyan() << "Loaded " << cert << ", " << cert_key);
+
+	s_ctx.reset(ctx.release());
+	return true;
+}
+
 void ServerTls::reset()
 {
 	m_ssl.reset(nullptr);

src/tls.h

@@ -37,6 +37,8 @@ class ServerTls
 public:
 	FORCEINLINE ServerTls() { reset(); }
 
+	[[nodiscard]] static bool load_from_files(const char* cert, const char* cert_key);
+
 	void reset();
 	[[nodiscard]] bool init();