mirror of
https://github.com/systemd/systemd
synced 2024-07-22 18:55:10 +00:00
network: add WireGuardPeer.PresharedKeyFile= setting
This commit is contained in:
parent
6ef5c881dd
commit
a3945c6361
|
@ -1241,7 +1241,7 @@
|
|||
<varlistentry>
|
||||
<term><varname>PrivateKeyFile=</varname></term>
|
||||
<listitem>
|
||||
<para>Takes a absolute path to a file which contains the Base64 encoded private key for the interface.
|
||||
<para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
|
||||
When this option is specified, then <varname>PrivateKey=</varname> is ignored.
|
||||
Note that the file must be readable by the user <literal>systemd-network</literal>, so it
|
||||
should be, e.g., owned by <literal>root:systemd-network</literal> with a
|
||||
|
@ -1296,6 +1296,16 @@
|
|||
with a <literal>0640</literal> file mode.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><varname>PresharedKeyFile=</varname></term>
|
||||
<listitem>
|
||||
<para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
|
||||
peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
|
||||
Note that the file must be readable by the user <literal>systemd-network</literal>, so it
|
||||
should be, e.g., owned by <literal>root:systemd-network</literal> with a
|
||||
<literal>0640</literal> file mode.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><varname>AllowedIPs=</varname></term>
|
||||
<listitem>
|
||||
|
|
|
@ -187,4 +187,5 @@ WireGuardPeer.AllowedIPs, config_parse_wireguard_allowed_ips, 0,
|
|||
WireGuardPeer.Endpoint, config_parse_wireguard_endpoint, 0, 0
|
||||
WireGuardPeer.PublicKey, config_parse_wireguard_public_key, 0, 0
|
||||
WireGuardPeer.PresharedKey, config_parse_wireguard_preshared_key, 0, 0
|
||||
WireGuardPeer.PresharedKeyFile, config_parse_wireguard_preshared_key_file, 0, 0
|
||||
WireGuardPeer.PersistentKeepalive, config_parse_wireguard_keepalive, 0, 0
|
||||
|
|
|
@ -53,6 +53,7 @@ static void wireguard_peer_free(WireguardPeer *peer) {
|
|||
|
||||
free(peer->endpoint_host);
|
||||
free(peer->endpoint_port);
|
||||
free(peer->preshared_key_file);
|
||||
explicit_bzero_safe(peer->preshared_key, WG_KEY_LEN);
|
||||
|
||||
free(peer);
|
||||
|
@ -602,6 +603,49 @@ int config_parse_wireguard_preshared_key(
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_wireguard_preshared_key_file(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
_cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL;
|
||||
_cleanup_free_ char *path = NULL;
|
||||
Wireguard *w;
|
||||
int r;
|
||||
|
||||
assert(data);
|
||||
w = WIREGUARD(data);
|
||||
assert(w);
|
||||
|
||||
r = wireguard_peer_new_static(w, filename, section_line, &peer);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (isempty(rvalue)) {
|
||||
peer->preshared_key_file = mfree(peer->preshared_key_file);
|
||||
TAKE_PTR(peer);
|
||||
return 0;
|
||||
}
|
||||
|
||||
path = strdup(rvalue);
|
||||
if (!path)
|
||||
return log_oom();
|
||||
|
||||
if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0)
|
||||
return 0;
|
||||
|
||||
free_and_replace(peer->preshared_key_file, path);
|
||||
TAKE_PTR(peer);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_wireguard_public_key(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
|
@ -879,6 +923,7 @@ finalize:
|
|||
|
||||
static int wireguard_peer_verify(WireguardPeer *peer) {
|
||||
NetDev *netdev = NETDEV(peer->wireguard);
|
||||
int r;
|
||||
|
||||
if (section_is_invalid(peer->section))
|
||||
return -EINVAL;
|
||||
|
@ -889,6 +934,14 @@ static int wireguard_peer_verify(WireguardPeer *peer) {
|
|||
"Ignoring [WireGuardPeer] section from line %u.",
|
||||
peer->section->filename, peer->section->line);
|
||||
|
||||
r = wireguard_read_key_file(peer->preshared_key_file, peer->preshared_key);
|
||||
if (r < 0)
|
||||
return log_netdev_error_errno(netdev, r,
|
||||
"%s: Failed to read preshared key from '%s'. "
|
||||
"Ignoring [WireGuardPeer] section from line %u.",
|
||||
peer->section->filename, peer->preshared_key_file,
|
||||
peer->section->line);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -21,6 +21,7 @@ typedef struct WireguardPeer {
|
|||
|
||||
uint8_t public_key[WG_KEY_LEN];
|
||||
uint8_t preshared_key[WG_KEY_LEN];
|
||||
char *preshared_key_file;
|
||||
uint32_t flags;
|
||||
uint16_t persistent_keepalive_interval;
|
||||
|
||||
|
@ -63,4 +64,5 @@ CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_public_key);
|
|||
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_private_key);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_private_key_file);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_preshared_key);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_preshared_key_file);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_keepalive);
|
||||
|
|
|
@ -52,6 +52,7 @@ Name=
|
|||
[WireGuardPeer]
|
||||
Endpoint=
|
||||
PresharedKey=
|
||||
PresharedKeyFile=
|
||||
PersistentKeepalive=
|
||||
PublicKey=
|
||||
AllowedIPs=
|
||||
|
|
Loading…
Reference in a new issue