Similar to PresharedKeyFile=, but for public key.
Closes #34012.
<xi:include href="version-info.xml" xpointer="v237"/>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>PublicKeyFile=</varname></term>
+ <listitem>
+ <para>Takes an absolute path to a file which contains the Base64 encoded public key for the peer.
+ When this option is specified, then <varname>PublicKey=</varname> will be ignored. Note that the
+ file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g., owned
+ by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path
+ refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to
+ it and the key read from it.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><varname>PresharedKey=</varname></term>
<listitem>
WireGuardPeer.AllowedIPs, config_parse_wireguard_allowed_ips, 0, 0
WireGuardPeer.Endpoint, config_parse_wireguard_endpoint, 0, 0
WireGuardPeer.PublicKey, config_parse_wireguard_peer_key, 0, 0
+WireGuardPeer.PublicKeyFile, config_parse_wireguard_peer_key_file, 0, 0
WireGuardPeer.PresharedKey, config_parse_wireguard_peer_key, 0, 0
-WireGuardPeer.PresharedKeyFile, config_parse_wireguard_preshared_key_file, 0, 0
+WireGuardPeer.PresharedKeyFile, config_parse_wireguard_peer_key_file, 0, 0
WireGuardPeer.PersistentKeepalive, config_parse_wireguard_keepalive, 0, 0
WireGuardPeer.RouteTable, config_parse_wireguard_peer_route_table, 0, 0
WireGuardPeer.RouteMetric, config_parse_wireguard_peer_route_priority,0, 0
free(peer->endpoint_host);
free(peer->endpoint_port);
+ free(peer->public_key_file);
free(peer->preshared_key_file);
explicit_bzero_safe(peer->preshared_key, WG_KEY_LEN);
return 0;
}
-int config_parse_wireguard_preshared_key_file(
+int config_parse_wireguard_peer_key_file(
const char *unit,
const char *filename,
unsigned line,
Wireguard *w = WIREGUARD(data);
_cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL;
_cleanup_free_ char *path = NULL;
+ char **key_file;
int r;
+ assert(filename);
+ assert(lvalue);
+
r = wireguard_peer_new_static(w, filename, section_line, &peer);
if (r < 0)
return log_oom();
+ if (streq(lvalue, "PublicKeyFile"))
+ key_file = &peer->public_key_file;
+ else if (streq(lvalue, "PresharedKeyFile"))
+ key_file = &peer->preshared_key_file;
+ else
+ assert_not_reached();
+
if (isempty(rvalue)) {
- peer->preshared_key_file = mfree(peer->preshared_key_file);
+ *key_file = mfree(*key_file);
TAKE_PTR(peer);
return 0;
}
if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0)
return 0;
- free_and_replace(peer->preshared_key_file, path);
+ free_and_replace(*key_file, path);
TAKE_PTR(peer);
return 0;
}
if (section_is_invalid(peer->section))
return -EINVAL;
+ r = wireguard_read_key_file(peer->public_key_file, peer->public_key);
+ if (r < 0)
+ return log_netdev_error_errno(netdev, r,
+ "%s: Failed to read public key from '%s'. "
+ "Ignoring [WireGuardPeer] section from line %u.",
+ peer->section->filename, peer->public_key_file,
+ peer->section->line);
+
if (eqzero(peer->public_key))
return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
"%s: WireGuardPeer section without PublicKey= configured. "
uint8_t public_key[WG_KEY_LEN];
uint8_t preshared_key[WG_KEY_LEN];
+ char *public_key_file;
char *preshared_key_file;
uint32_t flags;
uint16_t persistent_keepalive_interval;
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_endpoint);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_listen_port);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_peer_key);
+CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_peer_key_file);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_private_key);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_private_key_file);
-CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_preshared_key_file);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_keepalive);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_route_table);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_peer_route_table);
--- /dev/null
+lsDtM3AbjxNlauRKzHEPfgS1Zp7cp/VX5Use/P4PQSc=
[WireGuardPeer]
-PublicKey=lsDtM3AbjxNlauRKzHEPfgS1Zp7cp/VX5Use/P4PQSc=
+PublicKeyFile=/run/systemd/network/25-wireguard-public-key.txt
AllowedIPs=fdbc:bae2:7871:0500:e1fe:0793:8636:dad1/128
AllowedIPs=fdbc:bae2:7871:e1fe:0793:8636::/96
PresharedKeyFile=/run/systemd/network/25-wireguard-preshared-key.txt
copy_network_unit('25-wireguard.netdev', '25-wireguard.network',
'25-wireguard-23-peers.netdev', '25-wireguard-23-peers.network',
- '25-wireguard-preshared-key.txt', '25-wireguard-private-key.txt',
+ '25-wireguard-public-key.txt', '25-wireguard-preshared-key.txt', '25-wireguard-private-key.txt',
'25-wireguard-no-peer.netdev', '25-wireguard-no-peer.network')
start_networkd()
self.wait_online('wg99:routable', 'wg98:routable', 'wg97:carrier')
projects / thirdparty / systemd.git / commitdiff
