Implement TLS support

depends/packages/openssl.mk

@@ -14,39 +14,27 @@ $(package)_config_opts+=no-async
 $(package)_config_opts+=no-bf
 $(package)_config_opts+=no-blake2
 $(package)_config_opts+=no-camellia
-$(package)_config_opts+=no-capieng
 $(package)_config_opts+=no-cast
-$(package)_config_opts+=no-chacha
 $(package)_config_opts+=no-cmac
 $(package)_config_opts+=no-cms
-$(package)_config_opts+=no-comp
 $(package)_config_opts+=no-crypto-mdebug
 $(package)_config_opts+=no-crypto-mdebug-backtrace
-$(package)_config_opts+=no-ct
 $(package)_config_opts+=no-dgram
-$(package)_config_opts+=no-dsa
 $(package)_config_opts+=no-dso
 $(package)_config_opts+=no-dtls
 $(package)_config_opts+=no-dtls1
 $(package)_config_opts+=no-dtls1-method
 $(package)_config_opts+=no-dynamic-engine
-$(package)_config_opts+=no-ec2m
-$(package)_config_opts+=no-ec_nistp_64_gcc_128
 $(package)_config_opts+=no-egd
 $(package)_config_opts+=no-engine
-$(package)_config_opts+=no-err
 $(package)_config_opts+=no-gost
 $(package)_config_opts+=no-heartbeats
-$(package)_config_opts+=no-idea
 $(package)_config_opts+=no-md2
 $(package)_config_opts+=no-md4
 $(package)_config_opts+=no-mdc2
 $(package)_config_opts+=no-multiblock
 $(package)_config_opts+=no-nextprotoneg
 $(package)_config_opts+=no-ocb
-$(package)_config_opts+=no-ocsp
-$(package)_config_opts+=no-poly1305
-$(package)_config_opts+=no-posix-io
 $(package)_config_opts+=no-psk
 $(package)_config_opts+=no-rc2
 $(package)_config_opts+=no-rc4
@@ -63,16 +51,11 @@ $(package)_config_opts+=no-srtp
 $(package)_config_opts+=no-ssl3
 $(package)_config_opts+=no-ssl3-method
 $(package)_config_opts+=no-ssl-trace
-$(package)_config_opts+=no-stdio
-$(package)_config_opts+=no-tls1
-$(package)_config_opts+=no-tls1-method
 $(package)_config_opts+=no-ts
 $(package)_config_opts+=no-ui
 $(package)_config_opts+=no-unit-test
 $(package)_config_opts+=no-weak-ssl-ciphers
 $(package)_config_opts+=no-whirlpool
-$(package)_config_opts+=no-zlib
-$(package)_config_opts+=no-zlib-dynamic
 $(package)_config_opts+=$($(package)_cflags) $($(package)_cppflags)
 $(package)_config_opts+=-DPURIFY
 $(package)_config_opts_linux=-fPIC -Wa,--noexecstack

src/Makefile.am

@@ -68,6 +68,7 @@ LIBSNARK=snark/libsnark.a
 LIBUNIVALUE=univalue/libunivalue.la
 LIBZCASH=libzcash.a
 LIBCJSON=libcjson.a
+LIBTLS=libtls.a
 
 if ENABLE_ZMQ
 LIBBITCOIN_ZMQ=libbitcoin_zmq.a
@@ -161,7 +162,8 @@ EXTRA_LIBRARIES += \
   $(LIBBITCOIN_COMMON) \
   $(LIBBITCOIN_SERVER) \
   $(LIBBITCOIN_CLI) \
-  libzcash.a
+  libzcash.a \
+  libtls.a
 if ENABLE_WALLET
 BITCOIN_INCLUDES += $(BDB_CPPFLAGS)
 EXTRA_LIBRARIES += $(LIBBITCOIN_WALLET)
@@ -339,6 +341,8 @@ BITCOIN_CORE_H = \
   zmq/zmqnotificationinterface.h \
   zmq/zmqpublishnotifier.h
 
+LIBTLS_H = \
+    tls/utiltls.h
 
 obj/build.h: FORCE
 	@$(MKDIR_P) $(builddir)/obj
@@ -427,7 +431,8 @@ libbitcoin_server_a_SOURCES = \
 	cc/cclib.cpp \
 	mini-gmp.c \
   $(BITCOIN_CORE_H) \
-  $(LIBZCASH_H)
+  $(LIBZCASH_H) \
+  $(LIBTLS_H)
 
 if ENABLE_ZMQ
 libbitcoin_zmq_a_CPPFLAGS = $(BITCOIN_INCLUDES) $(ZMQ_CFLAGS)
@@ -680,6 +685,7 @@ pirated_LDADD = \
   $(LIBZCASH) \
 	$(LIBRUSTZCASH) \
   $(LIBSNARK) \
+	$(LIBTLS) \
   $(LIBLEVELDB) \
   $(LIBMEMENV) \
   $(LIBSECP256K1) \
@@ -756,6 +762,7 @@ pirate_cli_LDADD = \
 	$(EVENT_LIBS) \
 	$(LIBZCASH) \
 	$(LIBRUSTZCASH) \
+	$(LIBTLS) \
 	$(LIBBITCOIN_CRYPTO) \
   $(LIBVERUS_CRYPTO) \
   $(LIBVERUS_PORTABLE_CRYPTO) \
@@ -799,6 +806,7 @@ pirate_tx_LDADD = \
   $(LIBZCASH) \
 	$(LIBRUSTZCASH) \
   $(LIBSNARK) \
+	$(LIBTLS) \
   $(LIBBITCOIN_CRYPTO) \
   $(LIBVERUS_CRYPTO) \
   $(LIBVERUS_PORTABLE_CRYPTO) \
@@ -870,6 +878,18 @@ libzcashconsensus_la_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 endif
 #
 
+libtls_a_SOURCES = \
+    tls/utiltls.cpp\
+    tls/tlsmanager.cpp
+
+libtls_a_CPPFLAGS = -DMULTICORE -fopenmp -fPIC -DBINARY_OUTPUT -DCURVE_ALT_BN128 -DBOOST_SPIRIT_THREADSAFE -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS $(HARDENED_CPPFLAGS) -pipe -O2 -g  -Wstack-protector -fstack-protector-all -fPIE -fvisibility=hidden -DSTATIC $(BITCOIN_INCLUDES)
+
+libtls_a_CXXFLAGS = $(HARDENED_CXXFLAGS) -fwrapv -fno-strict-aliasing
+
+libtls_a_LDFLAGS = $(HARDENED_LDFLAGS)
+
+libtls_a_CPPFLAGS += -DMONTGOMERY_OUTPUT
+
 CLEANFILES = leveldb/libleveldb.a leveldb/libmemenv.a *.gcda *.gcno */*.gcno wallet/*/*.gcno
 
 DISTCLEANFILES = obj/build.h

src/Makefile.qt.include

@@ -561,6 +561,7 @@ qt_komodo_qt_LDADD += \
   $(LIBVERUS_PORTABLE_CRYPTO) \
   $(LIBZCASH) \
   $(LIBRUSTZCASH) \
+  $(LIBTLS) \
   $(LIBSNARK) \
   $(LIBZCASH_LIBS) \
   $(LIBCRYPTOCONDITIONS)

src/init.cpp

@@ -441,6 +441,11 @@ std::string HelpMessage(HelpMessageMode mode)
     strUsage += HelpMessageOpt("-timeout=<n>", strprintf(_("Specify connection timeout in milliseconds (minimum: 1, default: %d)"), DEFAULT_CONNECT_TIMEOUT));
     strUsage += HelpMessageOpt("-torcontrol=<ip>:<port>", strprintf(_("Tor control port to use if onion listening enabled (default: %s)"), DEFAULT_TOR_CONTROL));
     strUsage += HelpMessageOpt("-torpassword=<pass>", _("Tor control port password (default: empty)"));
+    strUsage += HelpMessageOpt("-tls=<option>", _("Specify TLS usage (default: 1 => enabled and preferred, yet compatible); other options are -tls=0 to disable TLS and -tls=only to enforce it"));
+    strUsage += HelpMessageOpt("-tlskeypath=<path>", _("Full path to a private key"));
+    strUsage += HelpMessageOpt("-tlskeypwd=<password>", _("Password for a private key encryption (default: not set, i.e. private key will be stored unencrypted)"));
+    strUsage += HelpMessageOpt("-tlscertpath=<path>", _("Full path to a certificate"));
+    strUsage += HelpMessageOpt("-tlstrustdir=<path>", _("Full path to a trusted certificates directory"));
     strUsage += HelpMessageOpt("-whitebind=<addr>", _("Bind to given address and whitelist peers connecting to it. Use [host]:port notation for IPv6"));
     strUsage += HelpMessageOpt("-whitelist=<netmask>", _("Whitelist peers connecting from the given netmask or IP address. Can be specified multiple times.") +
         " " + _("Whitelisted peers cannot be DoS banned and their transactions are always relayed, even if they are already in the mempool, useful e.g. for a gateway"));
@@ -1612,6 +1617,24 @@ bool AppInit2(boost::thread_group& threadGroup, CScheduler& scheduler)
     BOOST_FOREACH(const std::string& strDest, mapMultiArgs["-seednode"])
         AddOneShot(strDest);
 
+    if (mapArgs.count("-tlskeypath")) {
+        boost::filesystem::path pathTLSKey(GetArg("-tlskeypath", ""));
+    if (!boost::filesystem::exists(pathTLSKey))
+         return InitError(strprintf(_("Cannot find TLS key file: '%s'"), pathTLSKey.string()));
+    }
+
+    if (mapArgs.count("-tlscertpath")) {
+        boost::filesystem::path pathTLSCert(GetArg("-tlscertpath", ""));
+    if (!boost::filesystem::exists(pathTLSCert))
+        return InitError(strprintf(_("Cannot find TLS cert file: '%s'"), pathTLSCert.string()));
+    }
+
+    if (mapArgs.count("-tlstrustdir")) {
+        boost::filesystem::path pathTLSTrustredDir(GetArg("-tlstrustdir", ""));
+        if (!boost::filesystem::exists(pathTLSTrustredDir))
+            return InitError(strprintf(_("Cannot find trusted certificates directory: '%s'"), pathTLSTrustredDir.string()));
+    }
+
 #if ENABLE_ZMQ
     pzmqNotificationInterface = CZMQNotificationInterface::CreateWithArguments(mapArgs);