In the config file, allow specifying PrivateKey and PresharedKey as files, not only directly. This way the config file can be made readable since the only security-sensitive part there is the keys which can now be stored separately. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> --- src/config.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/config.c b/src/config.c index e0b4b7c..b4280e5 100644 --- a/src/config.c +++ b/src/config.c @@ -157,6 +157,16 @@ out: return ret; } +static inline bool parse_key_or_file(uint8_t key[static WG_KEY_LEN], const char *value) +{ + if (value[0] == '/' && (strlen(value) != WG_KEY_LEN_BASE64 - 1 || value[WG_KEY_LEN_BASE64 - 2] != '=')) { + return parse_keyfile(key, value); + } + else { + return parse_key(key, value); + } +} + static inline bool parse_ip(struct wgallowedip *allowedip, const char *value) { allowedip->family = AF_UNSPEC; @@ -447,7 +457,7 @@ static bool process_line(struct config_ctx *ctx, const char *line) else if (key_match("FwMark")) ret = parse_fwmark(&ctx->device->fwmark, &ctx->device->flags, value); else if (key_match("PrivateKey")) { - ret = parse_key(ctx->device->private_key, value); + ret = parse_key_or_file(ctx->device->private_key, value); if (ret) ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY; } else @@ -464,7 +474,7 @@ static bool process_line(struct config_ctx *ctx, const char *line) else if (key_match("PersistentKeepalive")) ret = parse_persistent_keepalive(&ctx->last_peer->persistent_keepalive_interval, &ctx->last_peer->flags, value); else if (key_match("PresharedKey")) { - ret = parse_key(ctx->last_peer->preshared_key, value); + ret = parse_key_or_file(ctx->last_peer->preshared_key, value); if (ret) ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY; } else -- 2.20.1