diff mbox series

wireguard-tools: allow generating private_key

Message ID 20210108012435.175345-1-me@irrelefant.net
State Rejected
Headers show
Series wireguard-tools: allow generating private_key | expand

Commit Message

Leonardo Mörlein Jan. 8, 2021, 1:24 a.m. UTC 
When the uci configuration is created automatically during a very early
stage, where no entropy daemon is set up, generating the key directly is
not an option. Therefore we allow to set the private_key to "generate"
and generate the private key directly before the interface is taken up.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
---
 package/network/utils/wireguard-tools/files/wireguard.sh | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Adrian Schmutzler Jan. 8, 2021, 12:09 p.m. UTC | #1 
Hi,

> -----Original Message-----
> From: openwrt-devel [mailto:openwrt-devel-bounces@lists.openwrt.org]
> On Behalf Of Leonardo Mörlein
> Sent: Freitag, 8. Januar 2021 02:25
> To: openwrt-devel@lists.openwrt.org
> Cc: Leonardo Mörlein <me@irrelefant.net>
> Subject: [PATCH] wireguard-tools: allow generating private_key
> 
> When the uci configuration is created automatically during a very early stage,
> where no entropy daemon is set up, generating the key directly is not an
> option. Therefore we allow to set the private_key to "generate"
> and generate the private key directly before the interface is taken up.

Please bump PKG_RELEASE.

Best

Adrian

> 
> Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
> ---
>  package/network/utils/wireguard-tools/files/wireguard.sh | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/package/network/utils/wireguard-tools/files/wireguard.sh
> b/package/network/utils/wireguard-tools/files/wireguard.sh
> index 63261aea71..d874c4b5e6 100644
> --- a/package/network/utils/wireguard-tools/files/wireguard.sh
> +++ b/package/network/utils/wireguard-tools/files/wireguard.sh
> @@ -121,6 +121,11 @@ proto_wireguard_setup() {
>  		ip link set mtu "${mtu}" dev "${config}"
>  	fi
> 
> +	if [ "$private_key" == "generate" ]; then
> +		private_key=`"${WG}" genkey`
> +		uci -q set network."$config".private_key="$private_key" &&
> uci -q commit network
> +	fi
> +
>  	proto_init_update "${config}" 1
> 
>  	umask 077
> --
> 2.30.0
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Jo-Philipp Wich Jan. 8, 2021, 12:42 p.m. UTC | #2 
Hi,

I'm afraid this approach is not really acceptable. Automatically calling `uci
commit` outside of the early-boot / uci-defaults context is not safe.

There could be arbitrary user defined, intentionally uncommitted changes
stashed when the ifup sequence is running which you would inadvertently commit
along with the key option change.

So, a NACK from me.

~ Jo
Leonardo Mörlein Jan. 8, 2021, 1:51 p.m. UTC | #3 
Hi Jo,

I see your point. I will solve this downstream, so this can be closed.

Kind regards,
Leo
diff mbox series

Patch

diff --git a/package/network/utils/wireguard-tools/files/wireguard.sh b/package/network/utils/wireguard-tools/files/wireguard.sh
index 63261aea71..d874c4b5e6 100644
--- a/package/network/utils/wireguard-tools/files/wireguard.sh
+++ b/package/network/utils/wireguard-tools/files/wireguard.sh
@@ -121,6 +121,11 @@  proto_wireguard_setup() {
 		ip link set mtu "${mtu}" dev "${config}"
 	fi
 
+	if [ "$private_key" == "generate" ]; then
+		private_key=`"${WG}" genkey`
+		uci -q set network."$config".private_key="$private_key" && uci -q commit network
+	fi
+
 	proto_init_update "${config}" 1
 
 	umask 077