From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 24 Apr 2024 21:50:04 +0000 (+0200)
Subject: wireguard: Implement optional PSK for post-quantum stuff
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c5606af3e5ecb3a968df2a48ea10c7811760241d;p=ipfire-2.x.git

wireguard: Implement optional PSK for post-quantum stuff

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 72f926b64..cc40436f4 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -1040,6 +1040,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 52e2b00f0..4f527dc27 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -2147,6 +2147,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_issues.es b/doc/language_issues.es
index be5eca549..facbd5aa6 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1107,6 +1107,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 9559a95ed..cb0bea906 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1047,6 +1047,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_issues.it b/doc/language_issues.it
index b6a3d5bd5..40363f9b6 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1393,6 +1393,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index b77ea2fef..dc0f9b4c9 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1414,6 +1414,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index c8a289b6f..610d8e29c 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1656,6 +1656,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 39e48fdfe..61808edb4 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1649,6 +1649,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index e05c2bee3..45516c4ff 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1276,6 +1276,7 @@ WARNING: untranslated string: wg invalid endpoint address = Invalid endpoint add
 WARNING: untranslated string: wg invalid endpoint port = Invalid endpoint port
 WARNING: untranslated string: wg invalid local subnet = Invalid local subnet
 WARNING: untranslated string: wg invalid name = Invalid name (Only letters, numbers, space and hyphen are allowed)
+WARNING: untranslated string: wg invalid psk = Invalid pre-shared key
 WARNING: untranslated string: wg invalid public key = Invalid public key
 WARNING: untranslated string: wg invalid remote subnet = Invalid remote subnet
 WARNING: untranslated string: wg name is already used = The name is already in use
diff --git a/doc/language_missings b/doc/language_missings
index 797b72348..98e28608d 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -121,12 +121,14 @@
 < wg invalid endpoint port
 < wg invalid local subnet
 < wg invalid name
+< wg invalid psk
 < wg invalid public key
 < wg invalid remote subnet
 < wg name is already used
 < wg no local subnets
 < wg no remote subnets
 < wg peer does not exist
+< wg pre-shared key (optional)
 < winbind daemon
 < wireguard
 < wlanap 802.11w disabled
@@ -202,12 +204,14 @@
 < wg invalid endpoint port
 < wg invalid local subnet
 < wg invalid name
+< wg invalid psk
 < wg invalid public key
 < wg invalid remote subnet
 < wg name is already used
 < wg no local subnets
 < wg no remote subnets
 < wg peer does not exist
+< wg pre-shared key (optional)
 < whitelisted
 < wireguard
 < wlanap
@@ -261,12 +265,14 @@
 < wg invalid endpoint port
 < wg invalid local subnet
 < wg invalid name
+< wg invalid psk
 < wg invalid public key
 < wg invalid remote subnet
 < wg name is already used
 < wg no local subnets
 < wg no remote subnets
 < wg peer does not exist
+< wg pre-shared key (optional)
 < whitelisted
 < wireguard
 < wlanap hide ssid
@@ -774,12 +780,14 @@
 < wg invalid endpoint port
 < wg invalid local subnet
 < wg invalid name
+< wg invalid psk
 < wg invalid public key
 < wg invalid remote subnet
 < wg name is already used
 < wg no local subnets
 < wg no remote subnets
 < wg peer does not exist
+< wg pre-shared key (optional)
 < whitelisted
 < whois results from
 < winbind daemon
@@ -1363,12 +1371,14 @@
 < wg invalid endpoint port
 < wg invalid local subnet
 < wg invalid name
+< wg invalid psk
 < wg invalid public key
 < wg invalid remote subnet
 < wg name is already used
 < wg no local subnets
 < wg no remote subnets
 < wg peer does not exist
+< wg pre-shared key (optional)
 < whitelisted
 < whois results from
 < winbind daemon
@@ -2368,12 +2378,14 @@
 < wg invalid endpoint port
 < wg invalid local subnet
 < wg invalid name
+< wg invalid psk
 < wg invalid public key
 < wg invalid remote subnet
 < wg name is already used
 < wg no local subnets
 < wg no remote subnets
 < wg peer does not exist
+< wg pre-shared key (optional)
 < whitelisted
 < whois results from
 < winbind daemon
@@ -3410,12 +3422,14 @@
 < wg invalid endpoint port
 < wg invalid local subnet
 < wg invalid name
+< wg invalid psk
 < wg invalid public key
 < wg invalid remote subnet
 < wg name is already used
 < wg no local subnets
 < wg no remote subnets
 < wg peer does not exist
+< wg pre-shared key (optional)
 < whitelisted
 < whois results from
 < winbind daemon
@@ -3829,12 +3843,14 @@
 < wg invalid endpoint port
 < wg invalid local subnet
 < wg invalid name
+< wg invalid psk
 < wg invalid public key
 < wg invalid remote subnet
 < wg name is already used
 < wg no local subnets
 < wg no remote subnets
 < wg peer does not exist
+< wg pre-shared key (optional)
 < whitelisted
 < whois results from
 < winbind daemon
diff --git a/html/cgi-bin/wireguard.cgi b/html/cgi-bin/wireguard.cgi
index fb0fcd5de..bc53b7789 100644
--- a/html/cgi-bin/wireguard.cgi
+++ b/html/cgi-bin/wireguard.cgi
@@ -129,6 +129,7 @@ if ($cgiparams{"ACTION"} eq $Lang::tr{'save'}) {
 		"REMOTE_SUBNETS"	=> $peers{$key}[6],
 		"REMARKS"			=> &decode_base64($peers{$key}[7]),
 		"LOCAL_SUBNETS"		=> $peers{$key}[8],
+		"PSK"				=> $peers{$key}[9],
 	);
 
 	# Jump to the editor
@@ -158,6 +159,11 @@ if ($cgiparams{"ACTION"} eq $Lang::tr{'save'}) {
 		push(@errormessages, $Lang::tr{'wg invalid public key'});
 	}
 
+	# Check PSK
+	if (defined $cgiparams{'PSK'} && !&publickey_is_valid($cgiparams{'PSK'})) {
+		push(@errormessages, $Lang::tr{'wg invalid psk'});
+	}
+
 	# Check the endpoint address
 	unless (&Network::check_ip_address($cgiparams{'ENDPOINT_ADDRESS'})) {
 		push(@errormessages, $Lang::tr{'wg invalid endpoint address'});
@@ -217,6 +223,8 @@ if ($cgiparams{"ACTION"} eq $Lang::tr{'save'}) {
 		&encode_remarks($cgiparams{"REMARKS"}),
 		# 8 = Local Subnets
 		join("|", @local_subnets),
+		# 9 = PSK
+		$cgiparams{"PSK"} || "",
 	];
 
 	# Store the configuration
@@ -579,6 +587,14 @@ EDITOR:
 							min="1" max="65535" placeholder="${DEFAULT_PORT}"/>
 					</td>
 				</tr>
+
+				<tr>
+					<td>$Lang::tr{'wg pre-shared key (optional)'}</td>
+					<td>
+						<input type="text" name="PSK"
+							value="$cgiparams{'PSK'}" />
+					</td>
+				</tr>
 			</table>
 
 			<h6>$Lang::tr{'routing'}</h6>
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 35fe20c10..ff735f215 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -3044,12 +3044,14 @@
 'wg invalid endpoint port' => 'Invalid endpoint port',
 'wg invalid local subnet' => 'Invalid local subnet',
 'wg invalid name' => 'Invalid name (Only letters, numbers, space and hyphen are allowed)',
+'wg invalid psk' => 'Invalid pre-shared key',
 'wg invalid public key' => 'Invalid public key',
 'wg invalid remote subnet' => 'Invalid remote subnet',
 'wg name is already used' => 'The name is already in use',
 'wg no local subnets' => 'No local subnets given',
 'wg no remote subnets' => 'No remote subnets given',
 'wg peer does not exist' => 'Peer does not exist',
+'wg pre-shared key (optional)' => 'Pre-Shared Key (optional)',
 'whitelisted' => 'Whitelisted',
 'whois results from' => 'WHOIS results from',
 'wildcards' => 'Wildcards',
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 2ad6b9fe2..6c44b770d 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -45,6 +45,9 @@ generate_config() {
 	local endpoint
 	local port
 	local routes
+	local remarks
+	local local_subnets
+	local psk
 	local _rest
 
 	local route
@@ -52,13 +55,19 @@ generate_config() {
 	# Flush all previously set routes
 	ip route flush dev "${INTF}"
 
-	while read -r id enabled type name pubkey endpoint port routes _rest; do
+	while read -r id enabled type name pubkey endpoint port routes \
+			remarks local_subnets psk _rest; do
 		# Skip peers that are not enabled
 		[ "${enabled}" = "on" ] || continue
 
 		echo "[Peer]"
 		echo "PublicKey = ${pubkey}"
 
+		# Set PSK (if set)
+		if [ -n "${psk}" ]; then
+			echo "PresharedKey= ${psk}"
+		fi
+
 		# Set endpoint
 		if [ -n "${endpoint}" ]; then
 			echo "Endpoint = ${endpoint}${port:+:}${port}"