From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wireguard-bounces@lists.zx2c4.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.zx2c4.com (lists.zx2c4.com [165.227.139.114])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id A5ADEC001DE
	for <zx2c4-wireguard@archiver.kernel.org>; Fri, 18 Aug 2023 11:50:15 +0000 (UTC)
Received: 
	by lists.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 8fdda864;
	Fri, 18 Aug 2023 11:50:08 +0000 (UTC)
Received: from janet.servers.dxld.at (mail.servers.dxld.at [5.9.225.164])
 by lists.zx2c4.com (ZX2C4 Mail Server) with ESMTPS id aab2de01
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO)
 for <wireguard@lists.zx2c4.com>;
 Fri, 18 Aug 2023 11:50:06 +0000 (UTC)
Received: janet.servers.dxld.at; Fri, 18 Aug 2023 13:50:06 +0200
From: =?UTF-8?q?Daniel=20Gr=C3=B6ber?= <dxld@darkboxed.org>
To: wireguard@lists.zx2c4.com
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>,
 =?UTF-8?q?Daniel=20Gr=C3=B6ber?= <dxld@darkboxed.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [PATCH v2 RESEND] wg: Allow config to read secret keys from file
Date: Fri, 18 Aug 2023 13:49:57 +0200
Message-Id: <20230818114957.982705-1-dxld@darkboxed.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: wireguard@lists.zx2c4.com
X-Mailman-Version: 2.1.30rc1
Precedence: list
List-Id: Development discussion of WireGuard <wireguard.lists.zx2c4.com>
List-Unsubscribe: <https://lists.zx2c4.com/mailman/options/wireguard>,
 <mailto:wireguard-request@lists.zx2c4.com?subject=unsubscribe>
List-Archive: <http://lists.zx2c4.com/pipermail/wireguard/>
List-Post: <mailto:wireguard@lists.zx2c4.com>
List-Help: <mailto:wireguard-request@lists.zx2c4.com?subject=help>
List-Subscribe: <https://lists.zx2c4.com/mailman/listinfo/wireguard>,
 <mailto:wireguard-request@lists.zx2c4.com?subject=subscribe>
Errors-To: wireguard-bounces@lists.zx2c4.com
Sender: "WireGuard" <wireguard-bounces@lists.zx2c4.com>

This adds two new config keys PrivateKeyFile= and PresharedKeyFile= that
simply hook up the existing code for the `wg set ... private-key /file`
codepath.

By using the new options wireguard configs can become a lot easier to
manage and deploy as we don't have to treat them as secrets anymore. This
way they can, for example, be tracked in public git repos while the secret
keys can be provisioned using an out of band system or with a manual
one-time step instead.

Before this patch we were using an ugly hack: it's possible to simply omit
PrivateKey= and set it using `PostUp = wg set %i private-key /some/file`.
However this breaks when we try to use setconf or synconf as they
will (rightly) unset the private key when it's missing in the underlying
config file breaking connectivity.

Reviewed-By: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
---
 src/config.c | 8 ++++++++
 src/man/wg.8 | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/src/config.c b/src/config.c
index 81ccb47..1e924c7 100644
--- a/src/config.c
+++ b/src/config.c
@@ -450,6 +450,10 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 			ret = parse_key(ctx->device->private_key, value);
 			if (ret)
 				ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY;
+		} else if (key_match("PrivateKeyFile")) {
+			ret = parse_keyfile(ctx->device->private_key, value);
+			if (ret)
+				ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY;
 		} else
 			goto error;
 	} else if (ctx->is_peer_section) {
@@ -467,6 +471,10 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 			ret = parse_key(ctx->last_peer->preshared_key, value);
 			if (ret)
 				ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY;
+		} else if (key_match("PresharedKeyFile")) {
+			ret = parse_keyfile(ctx->last_peer->preshared_key, value);
+			if (ret)
+				ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY;
 		} else
 			goto error;
 	} else
diff --git a/src/man/wg.8 b/src/man/wg.8
index 7984539..a5d8bcf 100644
--- a/src/man/wg.8
+++ b/src/man/wg.8
@@ -134,6 +134,8 @@ The \fIInterface\fP section may contain the following fields:
 .IP \(bu
 PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required.
 .IP \(bu
+PrivateKeyFile \(em path to a file containing a base64 private key. May be used instead of \fIPrivateKey\fP. Optional.
+.IP \(bu
 ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen
 randomly.
 .IP \(bu
@@ -151,6 +153,8 @@ and may be omitted. This option adds an additional layer of symmetric-key
 cryptography to be mixed into the already existing public-key cryptography,
 for post-quantum resistance.
 .IP \(bu
+PresharedKeyFile \(em path to a file containing a base64 preshared key. May be used instead of \fIPresharedKey\fP. Optional.
+.IP \(bu
 AllowedIPs \(em a comma-separated list of IP (v4 or v6) addresses with
 CIDR masks from which incoming traffic for this peer is allowed and to
 which outgoing traffic for this peer is directed. The catch-all
-- 
2.39.2