Message ID | 20210108012435.175345-1-me@irrelefant.net |
---|---|
State | Rejected |
Headers | show |
Series | wireguard-tools: allow generating private_key | expand |
Hi, > -----Original Message----- > From: openwrt-devel [mailto:openwrt-devel-bounces@lists.openwrt.org] > On Behalf Of Leonardo Mörlein > Sent: Freitag, 8. Januar 2021 02:25 > To: openwrt-devel@lists.openwrt.org > Cc: Leonardo Mörlein <me@irrelefant.net> > Subject: [PATCH] wireguard-tools: allow generating private_key > > When the uci configuration is created automatically during a very early stage, > where no entropy daemon is set up, generating the key directly is not an > option. Therefore we allow to set the private_key to "generate" > and generate the private key directly before the interface is taken up. Please bump PKG_RELEASE. Best Adrian > > Signed-off-by: Leonardo Mörlein <me@irrelefant.net> > --- > package/network/utils/wireguard-tools/files/wireguard.sh | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/package/network/utils/wireguard-tools/files/wireguard.sh > b/package/network/utils/wireguard-tools/files/wireguard.sh > index 63261aea71..d874c4b5e6 100644 > --- a/package/network/utils/wireguard-tools/files/wireguard.sh > +++ b/package/network/utils/wireguard-tools/files/wireguard.sh > @@ -121,6 +121,11 @@ proto_wireguard_setup() { > ip link set mtu "${mtu}" dev "${config}" > fi > > + if [ "$private_key" == "generate" ]; then > + private_key=`"${WG}" genkey` > + uci -q set network."$config".private_key="$private_key" && > uci -q commit network > + fi > + > proto_init_update "${config}" 1 > > umask 077 > -- > 2.30.0 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Hi, I'm afraid this approach is not really acceptable. Automatically calling `uci commit` outside of the early-boot / uci-defaults context is not safe. There could be arbitrary user defined, intentionally uncommitted changes stashed when the ifup sequence is running which you would inadvertently commit along with the key option change. So, a NACK from me. ~ Jo
Hi Jo, I see your point. I will solve this downstream, so this can be closed. Kind regards, Leo
diff --git a/package/network/utils/wireguard-tools/files/wireguard.sh b/package/network/utils/wireguard-tools/files/wireguard.sh index 63261aea71..d874c4b5e6 100644 --- a/package/network/utils/wireguard-tools/files/wireguard.sh +++ b/package/network/utils/wireguard-tools/files/wireguard.sh @@ -121,6 +121,11 @@ proto_wireguard_setup() { ip link set mtu "${mtu}" dev "${config}" fi + if [ "$private_key" == "generate" ]; then + private_key=`"${WG}" genkey` + uci -q set network."$config".private_key="$private_key" && uci -q commit network + fi + proto_init_update "${config}" 1 umask 077
When the uci configuration is created automatically during a very early stage, where no entropy daemon is set up, generating the key directly is not an option. Therefore we allow to set the private_key to "generate" and generate the private key directly before the interface is taken up. Signed-off-by: Leonardo Mörlein <me@irrelefant.net> --- package/network/utils/wireguard-tools/files/wireguard.sh | 5 +++++ 1 file changed, 5 insertions(+)