From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.zx2c4.com (lists.zx2c4.com [165.227.139.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 52DF1C4332F for ; Sun, 20 Nov 2022 22:46:24 +0000 (UTC) Received: by lists.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 4770925b; Sun, 20 Nov 2022 22:46:21 +0000 (UTC) Received: from janet.servers.dxld.at (mail.servers.dxld.at [5.9.225.164]) by lists.zx2c4.com (ZX2C4 Mail Server) with ESMTPS id 7dc4082d (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Sun, 20 Nov 2022 22:46:20 +0000 (UTC) Received: janet.servers.dxld.at; Sun, 20 Nov 2022 23:46:19 +0100 From: =?UTF-8?q?Daniel=20Gr=C3=B6ber?= To: wireguard@lists.zx2c4.com Cc: "Jason A . Donenfeld" , =?UTF-8?q?Daniel=20Gr=C3=B6ber?= Subject: [PATCH] wg: Allow config to read private key from file Date: Sun, 20 Nov 2022 23:46:01 +0100 Message-Id: <20221120224601.77300-1-dxld@darkboxed.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" This adds a new config key PrivateKeyFile= that simply hooks up the existing code for the `wg set ... private-key /file` codepath. Using this new option the interface configs can be much easier to deploy in an automated fashion as they don't contain secrets anymore. The private key can easily be provisioned out of band or using a one-time provisioning step instead. Before this patch we were using a neat hack: it's possible to simply omit PrivateKey= and set it using PostUp= wg set %i private-key /some/file. However this breaks when we try to use setconf or synconf as they will (rightly) unset the private key instead of leaving it as-is. --- src/config.c | 4 ++++ src/man/wg.8 | 2 ++ 2 files changed, 6 insertions(+) diff --git a/src/config.c b/src/config.c index e8db900..49cbb07 100644 --- a/src/config.c +++ b/src/config.c @@ -464,6 +464,10 @@ static bool process_line(struct config_ctx *ctx, const char *line) ret = parse_key(ctx->device->private_key, value); if (ret) ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY; + } else if (key_match("PrivateKeyFile")) { + ret = parse_keyfile(ctx->device->private_key, value); + if (ret) + ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY; } else goto error; } else if (ctx->is_peer_section) { diff --git a/src/man/wg.8 b/src/man/wg.8 index fd9fde7..1d37338 100644 --- a/src/man/wg.8 +++ b/src/man/wg.8 @@ -134,6 +134,8 @@ The \fIInterface\fP section may contain the following fields: .IP \(bu PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required. .IP \(bu +PrivateKeyFile \(em path to a file containing base64 private key. May be used instead of \fIPrivateKey\fP. Optional. +.IP \(bu ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen randomly. .IP \(bu -- 2.30.2