/* SPDX-License-Identifier: LGPL-2.1-or-later */
/*
* Copyright (C) 2018 - 2019 Red Hat, Inc.
*/
#include "nm-default.h"
#include "nm-setting-wireguard.h"
#include "nm-setting-private.h"
#include "nm-utils-private.h"
#include "nm-connection-private.h"
#include "nm-glib-aux/nm-secret-utils.h"
/*****************************************************************************/
/**
* SECTION:nm-setting-wireguard
* @short_description: Describes connection properties for wireguard related options
*
* The #NMSettingWireGuard object is a #NMSetting subclass that contains settings
* for configuring WireGuard.
**/
/*****************************************************************************/
static NMWireGuardPeer *_wireguard_peer_dup(const NMWireGuardPeer *self);
G_DEFINE_BOXED_TYPE(NMWireGuardPeer,
nm_wireguard_peer,
_wireguard_peer_dup,
nm_wireguard_peer_unref)
/* NMWireGuardPeer can also track invalid allowed-ip settings, and only reject
* them later during is_valid(). Such values are marked by a leading 'X' character
* in the @allowed_ips. It is expected, that such values are the exception, and
* commonly not present. */
#define ALLOWED_IP_INVALID_X 'X'
#define ALLOWED_IP_INVALID_X_STR "X"
/**
* NMWireGuardPeer:
*
* The settings of one WireGuard peer.
*
* Since: 1.16
*/
struct _NMWireGuardPeer {
NMSockAddrEndpoint * endpoint;
char * public_key;
char * preshared_key;
GPtrArray * allowed_ips;
guint refcount;
NMSettingSecretFlags preshared_key_flags;
guint16 persistent_keepalive;
bool public_key_valid : 1;
bool preshared_key_valid : 1;
bool sealed : 1;
};
static gboolean
NM_IS_WIREGUARD_PEER(const NMWireGuardPeer *self, gboolean also_sealed)
{
return self && self->refcount > 0 && (also_sealed || !self->sealed);
}
/**
* nm_wireguard_peer_new:
*
* Returns: (transfer full): a new, default, unsealed #NMWireGuardPeer instance.
*
* Since: 1.16
*/
NMWireGuardPeer *
nm_wireguard_peer_new(void)
{
NMWireGuardPeer *self;
self = g_slice_new(NMWireGuardPeer);
*self = (NMWireGuardPeer){
.refcount = 1,
.preshared_key_flags = NM_SETTING_SECRET_FLAG_NOT_REQUIRED,
};
return self;
}
/**
* nm_wireguard_peer_new_clone:
* @self: the #NMWireGuardPeer instance to copy.
* @with_secrets: if %TRUE, the preshared-key secrets are copied
* as well. Otherwise, they will be removed.
*
* Returns: (transfer full): a clone of @self. This instance
* is always unsealed.
*
* Since: 1.16
*/
NMWireGuardPeer *
nm_wireguard_peer_new_clone(const NMWireGuardPeer *self, gboolean with_secrets)
{
NMWireGuardPeer *new;
guint i;
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), NULL);
new = g_slice_new(NMWireGuardPeer);
*new = (NMWireGuardPeer){
.refcount = 1,
.public_key = g_strdup(self->public_key),
.public_key_valid = self->public_key_valid,
.preshared_key = with_secrets ? g_strdup(self->preshared_key) : NULL,
.preshared_key_valid = self->preshared_key_valid,
.preshared_key_flags = self->preshared_key_flags,
.endpoint = nm_sock_addr_endpoint_ref(self->endpoint),
.persistent_keepalive = self->persistent_keepalive,
};
if (self->allowed_ips && self->allowed_ips->len > 0) {
new->allowed_ips = g_ptr_array_new_full(self->allowed_ips->len, g_free);
for (i = 0; i < self->allowed_ips->len; i++) {
g_ptr_array_add(new->allowed_ips, g_strdup(self->allowed_ips->pdata[i]));
}
}
return new;
}
/**
* nm_wireguard_peer_ref:
* @self: (allow-none): the #NMWireGuardPeer instance
*
* This is not thread-safe.
*
* Returns: returns the input argument @self after incrementing
* the reference count.
*
* Since: 1.16
*/
NMWireGuardPeer *
nm_wireguard_peer_ref(NMWireGuardPeer *self)
{
if (!self)
return NULL;
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), NULL);
nm_assert(self->refcount < G_MAXUINT);
self->refcount++;
return self;
}
/**
* nm_wireguard_peer_unref:
* @self: (allow-none): the #NMWireGuardPeer instance
*
* Drop a reference to @self. If the last reference is dropped,
* the instance is freed and all associate data released.
*
* This is not thread-safe.
*
* Since: 1.16
*/
void
nm_wireguard_peer_unref(NMWireGuardPeer *self)
{
if (!self)
return;
g_return_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE));
if (--self->refcount > 0)
return;
nm_sock_addr_endpoint_unref(self->endpoint);
if (self->allowed_ips)
g_ptr_array_unref(self->allowed_ips);
g_free(self->public_key);
nm_free_secret(self->preshared_key);
g_slice_free(NMWireGuardPeer, self);
}
/**
* _wireguard_peer_dup:
* @self: the #NMWireGuardPeer instance
*
* Duplicates the #NMWireGuardPeer instance. Note that if @self
* is already sealed, this increments the reference count and
* returns it. If the instance is still unsealed, it is copied.
*
* Returns: (transfer full): a duplicate of @self, or (if the
* instance is sealed and thus immutable) a reference to @self.
* As such, the instance will be sealed if and only if @self is
* sealed.
*/
static NMWireGuardPeer *
_wireguard_peer_dup(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), NULL);
if (self->sealed)
return nm_wireguard_peer_ref((NMWireGuardPeer *) self);
return nm_wireguard_peer_new_clone(self, TRUE);
}
/**
* nm_wireguard_peer_seal:
* @self: the #NMWireGuardPeer instance
*
* Seal the #NMWireGuardPeer instance. Afterwards, it is a bug
* to call all functions that modify the instance (except ref/unref).
* A sealed instance cannot be unsealed again, but you can create
* an unsealed copy with nm_wireguard_peer_new_clone().
*
* Since: 1.16
*/
void
nm_wireguard_peer_seal(NMWireGuardPeer *self)
{
g_return_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE));
self->sealed = TRUE;
if (self->allowed_ips) {
if (self->allowed_ips->len == 0)
nm_clear_pointer(&self->allowed_ips, g_ptr_array_unref);
}
}
/**
* nm_wireguard_peer_is_sealed:
* @self: the #NMWireGuardPeer instance
*
* Returns: whether @self is sealed or not.
*
* Since: 1.16
*/
gboolean
nm_wireguard_peer_is_sealed(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), FALSE);
return self->sealed;
}
/**
* nm_wireguard_peer_get_public_key:
* @self: the #NMWireGuardPeer instance
*
* Returns: (transfer none): the public key or %NULL if unset.
*
* Since: 1.16
*/
const char *
nm_wireguard_peer_get_public_key(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), NULL);
return self->public_key;
}
/**
* nm_wireguard_peer_set_public_key:
* @self: the unsealed #NMWireGuardPeer instance
* @public_key: (allow-none) (transfer none): the new public
* key or %NULL to clear the public key.
* @accept_invalid: if %TRUE and @public_key is not %NULL and
* invalid, then do not modify the instance.
*
* Reset the public key. Note that if the public key is valid, it
* will be normalized (which may or may not modify the set value).
*
* It is a bug trying to modify a sealed #NMWireGuardPeer instance.
*
* Returns: %TRUE if the key was valid or %NULL. Returns
* %FALSE for invalid keys. Depending on @accept_invalid
* will an invalid key be set or not.
*
* Since: 1.16
*/
gboolean
nm_wireguard_peer_set_public_key(NMWireGuardPeer *self,
const char * public_key,
gboolean accept_invalid)
{
char * public_key_normalized = NULL;
gboolean is_valid;
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE), FALSE);
if (!public_key) {
nm_clear_g_free(&self->public_key);
return TRUE;
}
is_valid = nm_utils_base64secret_normalize(public_key,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&public_key_normalized);
nm_assert(is_valid == (public_key_normalized != NULL));
if (!is_valid && !accept_invalid)
return FALSE;
self->public_key_valid = is_valid;
g_free(self->public_key);
self->public_key = public_key_normalized ?: g_strdup(public_key);
return is_valid;
}
void
_nm_wireguard_peer_set_public_key_bin(NMWireGuardPeer *self,
const guint8 public_key[static NM_WIREGUARD_PUBLIC_KEY_LEN])
{
g_return_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE));
nm_clear_g_free(&self->public_key);
if (!public_key)
return;
self->public_key = g_base64_encode(public_key, NM_WIREGUARD_PUBLIC_KEY_LEN);
self->public_key_valid = TRUE;
}
/**
* nm_wireguard_peer_get_preshared_key:
* @self: the #NMWireGuardPeer instance
*
* Returns: (transfer none): the preshared key or %NULL if unset.
*
* Since: 1.16
*/
const char *
nm_wireguard_peer_get_preshared_key(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), NULL);
return self->preshared_key;
}
/**
* nm_wireguard_peer_set_preshared_key:
* @self: the unsealed #NMWireGuardPeer instance
* @preshared_key: (allow-none) (transfer none): the new preshared
* key or %NULL to clear the preshared key.
* @accept_invalid: whether to allow setting the key to an invalid
* value. If %FALSE, @self is unchanged if the key is invalid
* and if %FALSE is returned.
*
* Reset the preshared key. Note that if the preshared key is valid, it
* will be normalized (which may or may not modify the set value).
*
* Note that the preshared-key is a secret and consequently has corresponding
* preshared-key-flags property. This is so that secrets can be optional
* and requested on demand from a secret-agent. Also, an invalid preshared-key
* may optionally cause nm_wireguard_peer_is_valid() to fail or it may
* be accepted.
*
* It is a bug trying to modify a sealed #NMWireGuardPeer instance.
*
* Returns: %TRUE if the preshared-key is valid, otherwise %FALSE.
* %NULL is considered a valid value.
* If the key is invalid, it depends on @accept_invalid whether the
* previous value was reset.
*
* Since: 1.16
*/
gboolean
nm_wireguard_peer_set_preshared_key(NMWireGuardPeer *self,
const char * preshared_key,
gboolean accept_invalid)
{
char * preshared_key_normalized = NULL;
gboolean is_valid;
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE), FALSE);
if (!preshared_key) {
nm_clear_pointer(&self->preshared_key, nm_free_secret);
return TRUE;
}
is_valid = nm_utils_base64secret_normalize(preshared_key,
NM_WIREGUARD_SYMMETRIC_KEY_LEN,
&preshared_key_normalized);
nm_assert(is_valid == (preshared_key_normalized != NULL));
if (!is_valid && !accept_invalid)
return FALSE;
self->preshared_key_valid = is_valid;
nm_free_secret(self->preshared_key);
self->preshared_key = preshared_key_normalized ?: g_strdup(preshared_key);
return is_valid;
}
/**
* nm_wireguard_peer_get_preshared_key_flags:
* @self: the #NMWireGuardPeer instance
*
* Returns: get the secret flags for the preshared-key.
*
* Since: 1.16
*/
NMSettingSecretFlags
nm_wireguard_peer_get_preshared_key_flags(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), 0);
return self->preshared_key_flags;
}
/**
* nm_wireguard_peer_set_preshared_key_flags:
* @self: the unsealed #NMWireGuardPeer instance
* @preshared_key_flags: the secret flags to set.
*
* It is a bug trying to modify a sealed #NMWireGuardPeer instance.
*
* Since: 1.16
*/
void
nm_wireguard_peer_set_preshared_key_flags(NMWireGuardPeer * self,
NMSettingSecretFlags preshared_key_flags)
{
g_return_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE));
self->preshared_key_flags = preshared_key_flags;
}
/**
* nm_wireguard_peer_get_persistent_keepalive:
* @self: the #NMWireGuardPeer instance
*
* Returns: get the persistent-keepalive setting in seconds. Set to zero to disable
* keep-alive.
*
* Since: 1.16
*/
guint16
nm_wireguard_peer_get_persistent_keepalive(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), 0);
return self->persistent_keepalive;
}
/**
* nm_wireguard_peer_set_persistent_keepalive:
* @self: the unsealed #NMWireGuardPeer instance
* @persistent_keepalive: the keep-alive value to set.
*
* It is a bug trying to modify a sealed #NMWireGuardPeer instance.
*
* Since: 1.16
*/
void
nm_wireguard_peer_set_persistent_keepalive(NMWireGuardPeer *self, guint16 persistent_keepalive)
{
g_return_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE));
self->persistent_keepalive = persistent_keepalive;
}
NMSockAddrEndpoint *
_nm_wireguard_peer_get_endpoint(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), NULL);
return self->endpoint;
}
/**
* nm_wireguard_peer_get_endpoint:
* @self: the #NMWireGuardPeer instance
*
* Returns: (transfer none): the endpoint or %NULL if none was set.
*
* Since: 1.16
*/
const char *
nm_wireguard_peer_get_endpoint(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), NULL);
return self->endpoint ? nm_sock_addr_endpoint_get_endpoint(self->endpoint) : NULL;
}
void
_nm_wireguard_peer_set_endpoint(NMWireGuardPeer *self, NMSockAddrEndpoint *endpoint)
{
NMSockAddrEndpoint *old;
nm_assert(NM_IS_WIREGUARD_PEER(self, FALSE));
old = self->endpoint;
self->endpoint = nm_sock_addr_endpoint_ref(endpoint);
nm_sock_addr_endpoint_unref(old);
}
/**
* nm_wireguard_peer_set_endpoint:
* @self: the unsealed #NMWireGuardPeer instance
* @endpoint: the socket address endpoint to set or %NULL.
* @allow_invalid: if %TRUE, also invalid values are set.
* If %FALSE, the function does nothing for invalid @endpoint
* arguments.
*
* Sets or clears the endpoint of @self.
*
* It is a bug trying to modify a sealed #NMWireGuardPeer instance.
*
* Returns: %TRUE if the endpoint is %NULL or valid. For an
* invalid @endpoint argument, %FALSE is returned. Depending
* on @allow_invalid, the instance will be modified.
*
* Since: 1.16
*/
gboolean
nm_wireguard_peer_set_endpoint(NMWireGuardPeer *self, const char *endpoint, gboolean allow_invalid)
{
NMSockAddrEndpoint *old;
NMSockAddrEndpoint *new;
gboolean is_valid;
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE), FALSE);
if (!endpoint) {
nm_clear_pointer(&self->endpoint, nm_sock_addr_endpoint_unref);
return TRUE;
}
new = nm_sock_addr_endpoint_new(endpoint);
is_valid = (nm_sock_addr_endpoint_get_host(new) != NULL);
if (!allow_invalid && !is_valid) {
nm_sock_addr_endpoint_unref(new);
return FALSE;
}
old = self->endpoint;
self->endpoint = new;
nm_sock_addr_endpoint_unref(old);
return is_valid;
}
/**
* nm_wireguard_peer_get_allowed_ips_len:
* @self: the #NMWireGuardPeer instance
*
* Returns: the number of allowed-ips entries.
*
* Since: 1.16
*/
guint
nm_wireguard_peer_get_allowed_ips_len(const NMWireGuardPeer *self)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), 0);
return self->allowed_ips ? self->allowed_ips->len : 0u;
}
/**
* nm_wireguard_peer_get_allowed_ip:
* @self: the #NMWireGuardPeer instance
* @idx: the index from zero to (allowed-ips-len - 1) to
* retrieve.
* @out_is_valid: (allow-none): %TRUE if the returned value is a valid allowed-ip
* setting.
*
* Returns: (transfer none): the allowed-ip setting at index @idx.
* If @idx is out of range, %NULL will be returned.
*
* Since: 1.16
*/
const char *
nm_wireguard_peer_get_allowed_ip(const NMWireGuardPeer *self, guint idx, gboolean *out_is_valid)
{
const char *s;
/* With LTO, the compiler might warn about the g_return_val_if_fail()
* code path not initializing the output argument. Workaround that by
* always setting the out argument. */
NM_SET_OUT(out_is_valid, FALSE);
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), NULL);
if (!self->allowed_ips || idx >= self->allowed_ips->len)
return NULL;
s = self->allowed_ips->pdata[idx];
NM_SET_OUT(out_is_valid, s[0] != ALLOWED_IP_INVALID_X);
return s[0] == ALLOWED_IP_INVALID_X ? &s[1] : s;
}
/**
* nm_wireguard_peer_clear_allowed_ips:
* @self: the unsealed #NMWireGuardPeer instance
*
* Removes all allowed-ip entries.
*
* It is a bug trying to modify a sealed #NMWireGuardPeer instance.
*
* Since: 1.16
*/
void
nm_wireguard_peer_clear_allowed_ips(NMWireGuardPeer *self)
{
g_return_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE));
if (self->allowed_ips)
g_ptr_array_set_size(self->allowed_ips, 0);
}
static gboolean
_peer_append_allowed_ip(NMWireGuardPeer *self, const char *allowed_ip, gboolean accept_invalid)
{
int addr_family;
int prefix;
NMIPAddr addrbin;
char * str;
gboolean is_valid = TRUE;
nm_assert(NM_IS_WIREGUARD_PEER(self, FALSE));
nm_assert(allowed_ip);
/* normalize the address (if it is valid. Otherwise, take it
* as-is (it will render the instance invalid). */
if (!nm_utils_parse_inaddr_prefix_bin(AF_UNSPEC, allowed_ip, &addr_family, &addrbin, &prefix)) {
if (!accept_invalid)
return FALSE;
/* mark the entry as invalid by having a "X" prefix. */
str = g_strconcat(ALLOWED_IP_INVALID_X_STR, allowed_ip, NULL);
is_valid = FALSE;
} else {
char addrstr[NM_UTILS_INET_ADDRSTRLEN];
nm_assert_addr_family(addr_family);
nm_utils_inet_ntop(addr_family, &addrbin, addrstr);
if (prefix >= 0)
str = g_strdup_printf("%s/%d", addrstr, prefix);
else
str = g_strdup(addrstr);
nm_assert(str[0] != ALLOWED_IP_INVALID_X);
}
if (!self->allowed_ips)
self->allowed_ips = g_ptr_array_new_with_free_func(g_free);
g_ptr_array_add(self->allowed_ips, str);
return is_valid;
}
/**
* nm_wireguard_peer_append_allowed_ip:
* @self: the unsealed #NMWireGuardPeer instance
* @allowed_ip: the allowed-ip entry to set.
* @accept_invalid: if %TRUE, also invalid @allowed_ip value
* will be appended. Otherwise, the function does nothing
* in face of invalid values and returns %FALSE.
*
* Appends @allowed_ip setting to the list. This does not check
* for duplicates and always appends @allowed_ip to the end of the
* list. If @allowed_ip is valid, it will be normalized and a modified
* for might be appended. If @allowed_ip is invalid, it will still be
* appended, but later verification will fail.
*
* It is a bug trying to modify a sealed #NMWireGuardPeer instance.
*
* Returns: %TRUE if the value is a valid allowed-ips value, %FALSE otherwise.
* Depending on @accept_invalid, also invalid values are added.
*
* Since: 1.16
*/
gboolean
nm_wireguard_peer_append_allowed_ip(NMWireGuardPeer *self,
const char * allowed_ip,
gboolean accept_invalid)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE), FALSE);
g_return_val_if_fail(allowed_ip, FALSE);
return _peer_append_allowed_ip(self, allowed_ip, accept_invalid);
}
/**
* nm_wireguard_peer_remove_allowed_ip:
* @self: the unsealed #NMWireGuardPeer instance
* @idx: the index from zero to (allowed-ips-len - 1) to
* retrieve. If the index is out of range, %FALSE is returned
* and nothing is done.
*
* Removes the allowed-ip at the given @idx. This shifts all
* following entries one index down.
*
* It is a bug trying to modify a sealed #NMWireGuardPeer instance.
*
* Returns: %TRUE if @idx was valid and the allowed-ip was removed.
* %FALSE otherwise, and the peer will not be changed.
*
* Since: 1.16
*/
gboolean
nm_wireguard_peer_remove_allowed_ip(NMWireGuardPeer *self, guint idx)
{
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, FALSE), FALSE);
if (!self->allowed_ips || idx >= self->allowed_ips->len)
return FALSE;
g_ptr_array_remove_index(self->allowed_ips, idx);
return TRUE;
}
/**
* nm_wireguard_peer_is_valid:
* @self: the #NMWireGuardPeer instance
* @check_secrets: if %TRUE, non-secret properties are validated.
* Otherwise, they are ignored for this purpose.
* @check_non_secrets: if %TRUE, secret properties are validated.
* Otherwise, they are ignored for this purpose.
* @error: the #GError location for returning the failure reason.
*
* Returns: %TRUE if the peer is valid or fails with an error
* reason.
*
* Since: 1.16
*/
gboolean
nm_wireguard_peer_is_valid(const NMWireGuardPeer *self,
gboolean check_non_secrets,
gboolean check_secrets,
GError ** error)
{
guint i;
g_return_val_if_fail(NM_IS_WIREGUARD_PEER(self, TRUE), FALSE);
g_return_val_if_fail(!error || !*error, FALSE);
if (check_non_secrets) {
if (!self->public_key) {
g_set_error_literal(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_MISSING_PROPERTY,
_("missing public-key for peer"));
return FALSE;
} else if (!self->public_key_valid) {
g_set_error_literal(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("invalid public-key for peer"));
return FALSE;
}
}
if (check_secrets) {
if (self->preshared_key && !self->preshared_key_valid) {
g_set_error_literal(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("invalid preshared-key for peer"));
return FALSE;
}
}
if (check_non_secrets) {
if (!_nm_utils_secret_flags_validate(self->preshared_key_flags,
NULL,
NULL,
NM_SETTING_SECRET_FLAG_NONE,
error))
return FALSE;
}
if (check_non_secrets) {
if (self->endpoint && !nm_sock_addr_endpoint_get_host(self->endpoint)) {
g_set_error_literal(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("invalid endpoint for peer"));
return FALSE;
}
if (self->allowed_ips) {
for (i = 0; i < self->allowed_ips->len; i++) {
const char *s = self->allowed_ips->pdata[i];
if (s[0] == ALLOWED_IP_INVALID_X) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("invalid IP address \"%s\" for allowed-ip of peer"),
&s[1]);
return FALSE;
}
}
}
if (!_nm_setting_secret_flags_valid(self->preshared_key_flags)) {
g_set_error_literal(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("invalid preshared-key-flags for peer"));
return FALSE;
}
}
return TRUE;
}
/**
* nm_wireguard_peer_cmp:
* @a: (allow-none): the #NMWireGuardPeer to compare.
* @b: (allow-none): the other #NMWireGuardPeer to compare.
* @compare_flags: #NMSettingCompareFlags to affect the comparison.
*
* Returns: zero of the two instances are equivalent or
* a non-zero integer otherwise. This defines a total ordering
* over the peers. Whether a peer is sealed or not, does not
* affect the comparison.
*
* Since: 1.16
*/
int
nm_wireguard_peer_cmp(const NMWireGuardPeer *a,
const NMWireGuardPeer *b,
NMSettingCompareFlags compare_flags)
{
guint i, n;
NM_CMP_SELF(a, b);
/* regardless of the @compare_flags, the public-key is the ID of the peer. It must
* always be compared. */
NM_CMP_FIELD_BOOL(a, b, public_key_valid);
NM_CMP_FIELD_STR0(a, b, public_key);
if (NM_FLAGS_ANY(compare_flags,
NM_SETTING_COMPARE_FLAG_INFERRABLE | NM_SETTING_COMPARE_FLAG_FUZZY))
return 0;
NM_CMP_FIELD_BOOL(a, b, endpoint);
if (a->endpoint) {
NM_CMP_DIRECT_STRCMP0(nm_sock_addr_endpoint_get_endpoint(a->endpoint),
nm_sock_addr_endpoint_get_endpoint(b->endpoint));
}
NM_CMP_FIELD(a, b, persistent_keepalive);
NM_CMP_DIRECT((n = (a->allowed_ips ? a->allowed_ips->len : 0u)),
(b->allowed_ips ? b->allowed_ips->len : 0u));
for (i = 0; i < n; i++)
NM_CMP_DIRECT_STRCMP0(a->allowed_ips->pdata[i], b->allowed_ips->pdata[i]);
NM_CMP_FIELD(a, b, preshared_key_flags);
if (!NM_FLAGS_HAS(compare_flags, NM_SETTING_COMPARE_FLAG_IGNORE_SECRETS)) {
if (NM_FLAGS_HAS(compare_flags, NM_SETTING_COMPARE_FLAG_IGNORE_AGENT_OWNED_SECRETS)
&& NM_FLAGS_HAS(a->preshared_key_flags, NM_SETTING_SECRET_FLAG_AGENT_OWNED)) {
/* pass */
} else if (NM_FLAGS_HAS(compare_flags, NM_SETTING_COMPARE_FLAG_IGNORE_NOT_SAVED_SECRETS)
&& NM_FLAGS_HAS(a->preshared_key_flags, NM_SETTING_SECRET_FLAG_NOT_SAVED)) {
/* pass */
} else {
NM_CMP_FIELD_BOOL(a, b, preshared_key_valid);
NM_CMP_FIELD_STR0(a, b, preshared_key);
}
}
return 0;
}
/*****************************************************************************/
typedef struct {
const char * public_key;
NMWireGuardPeer *peer;
guint idx;
} PeerData;
/*****************************************************************************/
NM_GOBJECT_PROPERTIES_DEFINE_BASE(PROP_FWMARK,
PROP_IP4_AUTO_DEFAULT_ROUTE,
PROP_IP6_AUTO_DEFAULT_ROUTE,
PROP_LISTEN_PORT,
PROP_MTU,
PROP_PEER_ROUTES,
PROP_PRIVATE_KEY,
PROP_PRIVATE_KEY_FLAGS, );
typedef struct {
char * private_key;
GPtrArray * peers_arr;
GHashTable * peers_hash;
NMSettingSecretFlags private_key_flags;
NMTernary ip4_auto_default_route;
NMTernary ip6_auto_default_route;
guint32 fwmark;
guint32 mtu;
guint16 listen_port;
bool private_key_valid : 1;
bool peer_routes : 1;
} NMSettingWireGuardPrivate;
/**
* NMSettingWireGuard:
*
* WireGuard Settings
*
* Since: 1.16
*/
struct _NMSettingWireGuard {
NMSetting parent;
NMSettingWireGuardPrivate _priv;
};
struct _NMSettingWireGuardClass {
NMSettingClass parent;
};
G_DEFINE_TYPE(NMSettingWireGuard, nm_setting_wireguard, NM_TYPE_SETTING)
#define NM_SETTING_WIREGUARD_GET_PRIVATE(self) \
_NM_GET_PRIVATE(self, NMSettingWireGuard, NM_IS_SETTING_WIREGUARD, NMSetting)
/*****************************************************************************/
#define peers_psk_get_secret_name_a(public_key, to_free) \
nm_construct_name_a(NM_SETTING_WIREGUARD_PEERS ".%s." NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY, \
(public_key), \
(to_free))
#define peers_psk_get_secret_name_dup(public_key) \
g_strdup_printf(NM_SETTING_WIREGUARD_PEERS ".%s." NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY, \
(public_key))
#define peers_psk_get_secret_parse_a(secret_public_key, public_key_free) \
({ \
const char *_secret_public_key = (secret_public_key); \
char ** _public_key_free = (public_key_free); \
const char *_public_key = NULL; \
\
nm_assert(_public_key_free && !*_public_key_free); \
\
if (NM_STR_HAS_PREFIX(_secret_public_key, NM_SETTING_WIREGUARD_PEERS ".")) { \
_secret_public_key += NM_STRLEN(NM_SETTING_WIREGUARD_PEERS "."); \
if (NM_STR_HAS_SUFFIX(_secret_public_key, "." NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY)) { \
_public_key = \
nm_strndup_a(300, \
_secret_public_key, \
strlen(_secret_public_key) \
- NM_STRLEN("." NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY), \
_public_key_free); \
} \
} \
\
_public_key; \
})
/*****************************************************************************/
/**
* nm_setting_wireguard_get_private_key:
* @self: the #NMSettingWireGuard instance
*
* Returns: (transfer none): the set private-key or %NULL.
*
* Since: 1.16
*/
const char *
nm_setting_wireguard_get_private_key(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), NULL);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->private_key;
}
/**
* nm_setting_wireguard_get_private_key_flags:
* @self: the #NMSettingWireGuard instance
*
* Returns: the secret-flags for #NMSettingWireGuard:private-key.
*
* Since: 1.16
*/
NMSettingSecretFlags
nm_setting_wireguard_get_private_key_flags(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), 0);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->private_key_flags;
}
/**
* nm_setting_wireguard_get_fwmark:
* @self: the #NMSettingWireGuard instance
*
* Returns: the set firewall mark.
*
* Since: 1.16
*/
guint32
nm_setting_wireguard_get_fwmark(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), 0);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->fwmark;
}
/**
* nm_setting_wireguard_get_listen_port:
* @self: the #NMSettingWireGuard instance
*
* Returns: the set UDP listen port.
*
* Since: 1.16
*/
guint16
nm_setting_wireguard_get_listen_port(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), 0);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->listen_port;
}
/**
* nm_setting_wireguard_get_peer_routes:
* @self: the #NMSettingWireGuard instance
*
* Returns: whether automatically add peer routes.
*
* Since: 1.16
*/
gboolean
nm_setting_wireguard_get_peer_routes(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), TRUE);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->peer_routes;
}
/**
* nm_setting_wireguard_get_mtu:
* @self: the #NMSettingWireGuard instance
*
* Returns: the MTU of the setting.
*
* Since: 1.16
*/
guint32
nm_setting_wireguard_get_mtu(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), 0);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->mtu;
}
/**
* nm_setting_wireguard_get_ip4_auto_default_route:
* @self: the #NMSettingWireGuard setting.
*
* Returns: the "ip4-auto-default-route" property of the setting.
*
* Since: 1.20
*/
NMTernary
nm_setting_wireguard_get_ip4_auto_default_route(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), NM_TERNARY_DEFAULT);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->ip4_auto_default_route;
}
/**
* nm_setting_wireguard_get_ip6_auto_default_route:
* @self: the #NMSettingWireGuard setting.
*
* Returns: the "ip6-auto-default-route" property of the setting.
*
* Since: 1.20
*/
NMTernary
nm_setting_wireguard_get_ip6_auto_default_route(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), NM_TERNARY_DEFAULT);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->ip6_auto_default_route;
}
/*****************************************************************************/
static void
_peer_free(PeerData *pd)
{
nm_assert(pd);
nm_wireguard_peer_unref(pd->peer);
g_slice_free(PeerData, pd);
}
/*****************************************************************************/
static void
_peers_notify(gpointer self)
{
_nm_setting_emit_property_changed(self);
}
static PeerData *
_peers_get(NMSettingWireGuardPrivate *priv, guint idx)
{
PeerData *pd;
nm_assert(priv);
nm_assert(idx < priv->peers_arr->len);
pd = priv->peers_arr->pdata[idx];
nm_assert(pd);
nm_assert(pd->idx == idx);
nm_assert(NM_IS_WIREGUARD_PEER(pd->peer, TRUE));
nm_assert(nm_wireguard_peer_is_sealed(pd->peer));
nm_assert(pd->public_key == nm_wireguard_peer_get_public_key(pd->peer));
nm_assert(g_hash_table_lookup(priv->peers_hash, pd) == pd);
return pd;
}
static PeerData *
_peers_get_by_public_key(NMSettingWireGuardPrivate *priv,
const char * public_key,
gboolean try_with_normalized_key)
{
gs_free char *public_key_normalized = NULL;
PeerData * pd;
again:
nm_assert(priv);
nm_assert(public_key);
pd = g_hash_table_lookup(priv->peers_hash, &public_key);
if (pd) {
nm_assert(_peers_get(priv, pd->idx) == pd);
return pd;
}
if (try_with_normalized_key
&& nm_utils_base64secret_normalize(public_key,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&public_key_normalized)) {
public_key = public_key_normalized;
try_with_normalized_key = FALSE;
goto again;
}
return NULL;
}
static void
_peers_remove(NMSettingWireGuardPrivate *priv, PeerData *pd, gboolean do_free)
{
guint i;
nm_assert(pd);
nm_assert(_peers_get(priv, pd->idx) == pd);
for (i = pd->idx + 1; i < priv->peers_arr->len; i++)
_peers_get(priv, i)->idx--;
g_ptr_array_remove_index(priv->peers_arr, pd->idx);
if (!g_hash_table_remove(priv->peers_hash, pd))
nm_assert_not_reached();
if (do_free)
_peer_free(pd);
}
/**
* nm_setting_wireguard_get_peers_len:
* @self: the #NMSettingWireGuard instance
*
* Returns: the number of registered peers.
*
* Since: 1.16
*/
guint
nm_setting_wireguard_get_peers_len(NMSettingWireGuard *self)
{
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), 0);
return NM_SETTING_WIREGUARD_GET_PRIVATE(self)->peers_arr->len;
}
/**
* nm_setting_wireguard_get_peer:
* @self: the #NMSettingWireGuard instance
* @idx: the index to lookup.
*
* Returns: (transfer none): the #NMWireGuardPeer entry at
* index @idx. If the index is out of range, %NULL is returned.
*
* Since: 1.16
*/
NMWireGuardPeer *
nm_setting_wireguard_get_peer(NMSettingWireGuard *self, guint idx)
{
NMSettingWireGuardPrivate *priv;
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), NULL);
priv = NM_SETTING_WIREGUARD_GET_PRIVATE(self);
if (idx >= priv->peers_arr->len)
return NULL;
return _peers_get(priv, idx)->peer;
}
/**
* nm_setting_wireguard_get_peer_by_public_key:
* @self: the #NMSettingWireGuard instance
* @public_key: the public key for looking up the
* peer.
* @out_idx: (out) (allow-none): optional output argument
* for the index of the found peer. If no index is found,
* this is set to the nm_setting_wireguard_get_peers_len().
*
* Returns: (transfer none): the #NMWireGuardPeer instance with a
* matching public key. If no such peer exists, %NULL is returned.
*
* Since: 1.16
*/
NMWireGuardPeer *
nm_setting_wireguard_get_peer_by_public_key(NMSettingWireGuard *self,
const char * public_key,
guint * out_idx)
{
NMSettingWireGuardPrivate *priv;
PeerData * pd;
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), NULL);
g_return_val_if_fail(public_key, NULL);
priv = NM_SETTING_WIREGUARD_GET_PRIVATE(self);
pd = _peers_get_by_public_key(priv, public_key, TRUE);
if (!pd) {
NM_SET_OUT(out_idx, priv->peers_arr->len);
return NULL;
}
NM_SET_OUT(out_idx, pd->idx);
return pd->peer;
}
static gboolean
_peers_set(NMSettingWireGuardPrivate *priv,
NMWireGuardPeer * peer,
guint idx,
gboolean check_same_key)
{
PeerData * pd_same_key = NULL;
PeerData * pd_idx = NULL;
const char *public_key;
nm_assert(idx <= priv->peers_arr->len);
public_key = nm_wireguard_peer_get_public_key(peer);
if (idx < priv->peers_arr->len) {
pd_idx = _peers_get(priv, idx);
if (pd_idx->peer == peer)
return FALSE;
if (check_same_key && nm_streq(public_key, nm_wireguard_peer_get_public_key(pd_idx->peer)))
check_same_key = FALSE;
}
nm_wireguard_peer_seal(peer);
nm_wireguard_peer_ref(peer);
if (check_same_key) {
pd_same_key = _peers_get_by_public_key(priv, public_key, FALSE);
if (pd_same_key) {
if (pd_idx) {
nm_assert(pd_same_key != pd_idx);
_peers_remove(priv, pd_same_key, TRUE);
pd_same_key = NULL;
} else {
if (pd_same_key->peer == peer && pd_same_key->idx == priv->peers_arr->len - 1) {
nm_wireguard_peer_unref(peer);
return FALSE;
}
_peers_remove(priv, pd_same_key, FALSE);
nm_wireguard_peer_unref(pd_same_key->peer);
}
}
} else
nm_assert(_peers_get_by_public_key(priv, public_key, FALSE) == pd_idx);
if (pd_idx) {
g_hash_table_remove(priv->peers_hash, pd_idx);
nm_wireguard_peer_unref(pd_idx->peer);
pd_idx->public_key = public_key;
pd_idx->peer = peer;
g_hash_table_add(priv->peers_hash, pd_idx);
return TRUE;
}
if (!pd_same_key)
pd_same_key = g_slice_new(PeerData);
*pd_same_key = (PeerData){
.peer = peer,
.public_key = public_key,
.idx = priv->peers_arr->len,
};
g_ptr_array_add(priv->peers_arr, pd_same_key);
if (!nm_g_hash_table_add(priv->peers_hash, pd_same_key))
nm_assert_not_reached();
nm_assert(_peers_get(priv, pd_same_key->idx) == pd_same_key);
return TRUE;
}
static gboolean
_peers_append(NMSettingWireGuardPrivate *priv, NMWireGuardPeer *peer, gboolean check_same_key)
{
return _peers_set(priv, peer, priv->peers_arr->len, check_same_key);
}
/**
* nm_setting_wireguard_set_peer:
* @self: the #NMSettingWireGuard instance
* @peer: the #NMWireGuardPeer instance to set.
* This seals @peer and keeps a reference on the
* instance.
* @idx: the index, in the range of 0 to the number of
* peers (including). That means, if @idx is one past
* the end of the number of peers, this is the same as
* nm_setting_wireguard_append_peer(). Otherwise, the
* peer at this index is replaced.
*
* If @idx is one past the last peer, the behavior is the same
* as nm_setting_wireguard_append_peer().
* Otherwise, the peer will be at @idx and replace the peer
* instance at that index. Note that if a peer with the same
* public-key exists on another index, then that peer will also
* be replaced. In that case, the number of peers will shrink
* by one (because the one at @idx got replace and then one
* with the same public-key got removed). This also means,
* that the resulting index afterwards may be one less than
* @idx (if another peer with a lower index was dropped).
*
* Since: 1.16
*/
void
nm_setting_wireguard_set_peer(NMSettingWireGuard *self, NMWireGuardPeer *peer, guint idx)
{
NMSettingWireGuardPrivate *priv;
g_return_if_fail(NM_IS_SETTING_WIREGUARD(self));
g_return_if_fail(NM_IS_WIREGUARD_PEER(peer, TRUE));
priv = NM_SETTING_WIREGUARD_GET_PRIVATE(self);
g_return_if_fail(idx <= priv->peers_arr->len);
if (_peers_set(priv, peer, idx, TRUE))
_peers_notify(self);
}
/**
* nm_setting_wireguard_append_peer:
* @self: the #NMSettingWireGuard instance
* @peer: the #NMWireGuardPeer instance to append.
* This seals @peer and keeps a reference on the
* instance.
*
* If a peer with the same public-key already exists, that
* one is replaced by @peer. The new @peer is always appended
* (or moved to) the end, so in case a peer is replaced, the
* indexes are shifted and the number of peers stays unchanged.
*
* Since: 1.16
*/
void
nm_setting_wireguard_append_peer(NMSettingWireGuard *self, NMWireGuardPeer *peer)
{
g_return_if_fail(NM_IS_SETTING_WIREGUARD(self));
g_return_if_fail(NM_IS_WIREGUARD_PEER(peer, TRUE));
if (_peers_append(NM_SETTING_WIREGUARD_GET_PRIVATE(self), peer, TRUE))
_peers_notify(self);
}
/**
* nm_setting_wireguard_remove_peer
* @self: the #NMSettingWireGuard instance
* @idx: the index to remove.
*
* Returns: %TRUE if @idx was in range and a peer
* was removed. Otherwise, @self is unchanged.
*
* Since: 1.16
*/
gboolean
nm_setting_wireguard_remove_peer(NMSettingWireGuard *self, guint idx)
{
NMSettingWireGuardPrivate *priv;
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), FALSE);
priv = NM_SETTING_WIREGUARD_GET_PRIVATE(self);
if (idx >= priv->peers_arr->len)
return FALSE;
_peers_remove(priv, _peers_get(priv, idx), TRUE);
_peers_notify(self);
return TRUE;
}
static guint
_peers_clear(NMSettingWireGuardPrivate *priv)
{
guint l;
l = priv->peers_arr->len;
while (priv->peers_arr->len > 0) {
_peers_remove(priv, _peers_get(priv, priv->peers_arr->len - 1), TRUE);
}
return l;
}
/**
* nm_setting_wireguard_:
* @self: the #NMSettingWireGuard instance
*
* Returns: the number of cleared peers.
*
* Since: 1.16
*/
guint
nm_setting_wireguard_clear_peers(NMSettingWireGuard *self)
{
guint l;
g_return_val_if_fail(NM_IS_SETTING_WIREGUARD(self), 0);
l = _peers_clear(NM_SETTING_WIREGUARD_GET_PRIVATE(self));
if (l > 0)
_peers_notify(self);
return l;
}
/*****************************************************************************/
static GVariant *
_peers_dbus_only_synth(const NMSettInfoSetting * sett_info,
guint property_idx,
NMConnection * connection,
NMSetting * setting,
NMConnectionSerializationFlags flags,
const NMConnectionSerializationOptions *options)
{
NMSettingWireGuard * self = NM_SETTING_WIREGUARD(setting);
NMSettingWireGuardPrivate *priv;
gboolean any_peers = FALSE;
GVariantBuilder peers_builder;
guint i_peer, n_peers;
guint i;
n_peers = nm_setting_wireguard_get_peers_len(self);
if (n_peers == 0)
return NULL;
priv = NM_SETTING_WIREGUARD_GET_PRIVATE(self);
for (i_peer = 0; i_peer < n_peers; i_peer++) {
const NMWireGuardPeer *peer = _peers_get(priv, i_peer)->peer;
GVariantBuilder builder;
if (!peer->public_key)
continue;
g_variant_builder_init(&builder, G_VARIANT_TYPE("a{sv}"));
g_variant_builder_add(&builder,
"{sv}",
NM_WIREGUARD_PEER_ATTR_PUBLIC_KEY,
g_variant_new_string(peer->public_key));
if (!NM_FLAGS_HAS(flags, NM_CONNECTION_SERIALIZE_ONLY_SECRETS) && peer->endpoint)
g_variant_builder_add(
&builder,
"{sv}",
NM_WIREGUARD_PEER_ATTR_ENDPOINT,
g_variant_new_string(nm_sock_addr_endpoint_get_endpoint(peer->endpoint)));
if (_nm_connection_serialize_secrets(flags, peer->preshared_key_flags)
&& peer->preshared_key)
g_variant_builder_add(&builder,
"{sv}",
NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY,
g_variant_new_string(peer->preshared_key));
if (!NM_FLAGS_HAS(flags, NM_CONNECTION_SERIALIZE_ONLY_SECRETS)
&& peer->preshared_key_flags != NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
g_variant_builder_add(&builder,
"{sv}",
NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY_FLAGS,
g_variant_new_uint32(peer->preshared_key_flags));
if (!NM_FLAGS_HAS(flags, NM_CONNECTION_SERIALIZE_ONLY_SECRETS)
&& peer->persistent_keepalive != 0)
g_variant_builder_add(&builder,
"{sv}",
NM_WIREGUARD_PEER_ATTR_PERSISTENT_KEEPALIVE,
g_variant_new_uint32(peer->persistent_keepalive));
if (!NM_FLAGS_HAS(flags, NM_CONNECTION_SERIALIZE_ONLY_SECRETS) && peer->allowed_ips
&& peer->allowed_ips->len > 0) {
const char *const * strv = (const char *const *) peer->allowed_ips->pdata;
gs_free const char **strv_fixed = NULL;
for (i = 0; i < peer->allowed_ips->len; i++) {
if (strv[i][0] != ALLOWED_IP_INVALID_X)
continue;
if (!strv_fixed) {
strv_fixed = nm_memdup(strv, sizeof(strv[0]) * peer->allowed_ips->len);
strv = strv_fixed;
}
((const char **) strv)[i]++;
}
g_variant_builder_add(&builder,
"{sv}",
NM_WIREGUARD_PEER_ATTR_ALLOWED_IPS,
g_variant_new_strv(strv, peer->allowed_ips->len));
}
if (!any_peers) {
g_variant_builder_init(&peers_builder, G_VARIANT_TYPE("aa{sv}"));
any_peers = TRUE;
}
g_variant_builder_add(&peers_builder, "a{sv}", &builder);
}
return any_peers ? g_variant_builder_end(&peers_builder) : NULL;
}
static gboolean
_peers_dbus_only_set(NMSetting * setting,
GVariant * connection_dict,
const char * property,
GVariant * value,
NMSettingParseFlags parse_flags,
GError ** error)
{
GVariantIter iter_peers;
GVariant * peer_var;
guint i_peer;
gboolean success = FALSE;
gboolean peers_changed = FALSE;
nm_assert(g_variant_is_of_type(value, G_VARIANT_TYPE("aa{sv}")));
g_variant_iter_init(&iter_peers, value);
i_peer = 0;
while (g_variant_iter_next(&iter_peers, "@a{sv}", &peer_var)) {
_nm_unused gs_unref_variant GVariant *peer_var_unref = peer_var;
nm_auto_unref_wgpeer NMWireGuardPeer *peer = NULL;
const char * cstr;
guint32 u32;
GVariant * var;
i_peer++;
if (!g_variant_lookup(peer_var, NM_WIREGUARD_PEER_ATTR_PUBLIC_KEY, "&s", &cstr)) {
if (NM_FLAGS_HAS(parse_flags, NM_SETTING_PARSE_FLAGS_STRICT)) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_MISSING_PROPERTY,
_("peer #%u has no public-key"),
i_peer);
goto out;
}
continue;
}
peer = nm_wireguard_peer_new();
if (!nm_wireguard_peer_set_public_key(peer, cstr, TRUE)) {
if (NM_FLAGS_HAS(parse_flags, NM_SETTING_PARSE_FLAGS_STRICT)) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_MISSING_PROPERTY,
_("peer #%u has invalid public-key"),
i_peer);
goto out;
}
continue;
}
if (g_variant_lookup(peer_var, NM_WIREGUARD_PEER_ATTR_ENDPOINT, "&s", &cstr)) {
nm_auto_unref_sockaddrendpoint NMSockAddrEndpoint *ep = NULL;
ep = nm_sock_addr_endpoint_new(cstr);
if (!nm_sock_addr_endpoint_get_host(ep)) {
if (NM_FLAGS_HAS(parse_flags, NM_SETTING_PARSE_FLAGS_STRICT)) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_MISSING_PROPERTY,
_("peer #%u has invalid endpoint"),
i_peer);
goto out;
}
} else
_nm_wireguard_peer_set_endpoint(peer, ep);
}
if (g_variant_lookup(peer_var, NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY, "&s", &cstr))
nm_wireguard_peer_set_preshared_key(peer, cstr, TRUE);
if (g_variant_lookup(peer_var, NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY_FLAGS, "u", &u32))
nm_wireguard_peer_set_preshared_key_flags(peer, u32);
if (g_variant_lookup(peer_var, NM_WIREGUARD_PEER_ATTR_PERSISTENT_KEEPALIVE, "u", &u32))
nm_wireguard_peer_set_persistent_keepalive(peer, u32);
if (g_variant_lookup(peer_var, NM_WIREGUARD_PEER_ATTR_ALLOWED_IPS, "@as", &var)) {
_nm_unused gs_unref_variant GVariant *var_free = var;
gs_free const char ** allowed_ips = NULL;
gsize i, l;
allowed_ips = g_variant_get_strv(var, &l);
if (allowed_ips) {
for (i = 0; i < l; i++) {
if (_peer_append_allowed_ip(peer, allowed_ips[i], FALSE))
continue;
if (!NM_FLAGS_HAS(parse_flags, NM_SETTING_PARSE_FLAGS_STRICT))
continue;
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_MISSING_PROPERTY,
_("peer #%u has invalid allowed-ips setting"),
i_peer);
goto out;
}
}
}
if (NM_FLAGS_HAS(parse_flags, NM_SETTING_PARSE_FLAGS_STRICT)) {
gs_free_error GError *local = NULL;
if (!nm_wireguard_peer_is_valid(peer, TRUE, FALSE, &local)) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_MISSING_PROPERTY,
_("peer #%u is invalid: %s"),
i_peer,
local->message);
goto out;
}
}
/* we could easily reject duplicate peers (by public-key) or duplicate GVariant attributes.
* However, don't do that. In case of duplicate values, the latter peer overwrite the earlier
* and GVariant attributes are ignored by g_variant_lookup() above. */
if (_peers_append(NM_SETTING_WIREGUARD_GET_PRIVATE(setting), peer, TRUE))
peers_changed = TRUE;
}
success = TRUE;
out:
if (peers_changed)
_peers_notify(setting);
return success;
}
/*****************************************************************************/
static gboolean
verify(NMSetting *setting, NMConnection *connection, GError **error)
{
NMSettingWireGuard * s_wg = NM_SETTING_WIREGUARD(setting);
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
guint i;
if (!_nm_connection_verify_required_interface_name(connection, error))
return FALSE;
if (!_nm_utils_secret_flags_validate(nm_setting_wireguard_get_private_key_flags(s_wg),
NM_SETTING_WIREGUARD_SETTING_NAME,
NM_SETTING_WIREGUARD_PRIVATE_KEY_FLAGS,
NM_SETTING_SECRET_FLAG_NOT_REQUIRED,
error))
return FALSE;
for (i = 0; i < priv->peers_arr->len; i++) {
NMWireGuardPeer *peer = _peers_get(priv, i)->peer;
if (!nm_wireguard_peer_is_valid(peer, TRUE, FALSE, error)) {
g_prefix_error(error,
"%s.%s[%u]: ",
NM_SETTING_WIREGUARD_SETTING_NAME,
NM_SETTING_WIREGUARD_PEERS,
i);
return FALSE;
}
}
if (connection) {
NMSettingIPConfig *s_ip4;
NMSettingIPConfig *s_ip6;
const char * method;
/* WireGuard is Layer 3 only. For the moment, we only support a restricted set of
* IP methods. We may relax that later, once we fix the implementations so they
* actually work. */
if ((s_ip4 = nm_connection_get_setting_ip4_config(connection))
&& (method = nm_setting_ip_config_get_method(s_ip4))
&& !NM_IN_STRSET(method,
NM_SETTING_IP4_CONFIG_METHOD_DISABLED,
NM_SETTING_IP4_CONFIG_METHOD_MANUAL)) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("method \"%s\" is not supported for WireGuard"),
method);
g_prefix_error(error,
"%s.%s: ",
NM_SETTING_IP4_CONFIG_SETTING_NAME,
NM_SETTING_IP_CONFIG_METHOD);
return FALSE;
}
if ((s_ip6 = nm_connection_get_setting_ip6_config(connection))
&& (method = nm_setting_ip_config_get_method(s_ip6))
&& !NM_IN_STRSET(method,
NM_SETTING_IP6_CONFIG_METHOD_IGNORE,
NM_SETTING_IP6_CONFIG_METHOD_LINK_LOCAL,
NM_SETTING_IP6_CONFIG_METHOD_MANUAL,
NM_SETTING_IP6_CONFIG_METHOD_DISABLED)) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("method \"%s\" is not supported for WireGuard"),
method);
g_prefix_error(error,
"%s.%s: ",
NM_SETTING_IP6_CONFIG_SETTING_NAME,
NM_SETTING_IP_CONFIG_METHOD);
return FALSE;
}
}
/* private-key is a secret, hence we cannot verify it like a regular property. */
return TRUE;
}
static gboolean
verify_secrets(NMSetting *setting, NMConnection *connection, GError **error)
{
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
guint i;
if (priv->private_key && !priv->private_key_valid) {
g_set_error_literal(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("key must be 32 bytes base64 encoded"));
g_prefix_error(error,
"%s.%s: ",
NM_SETTING_WIREGUARD_SETTING_NAME,
NM_SETTING_WIREGUARD_PRIVATE_KEY);
return FALSE;
}
for (i = 0; i < priv->peers_arr->len; i++) {
NMWireGuardPeer *peer = _peers_get(priv, i)->peer;
if (!nm_wireguard_peer_is_valid(peer, FALSE, TRUE, error)) {
g_prefix_error(error,
"%s.%s[%u]: ",
NM_SETTING_WIREGUARD_SETTING_NAME,
NM_SETTING_WIREGUARD_PEERS,
i);
return FALSE;
}
}
return TRUE;
}
static GPtrArray *
need_secrets(NMSetting *setting)
{
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
GPtrArray * secrets = NULL;
guint i;
if (!priv->private_key || !priv->private_key_valid) {
secrets = g_ptr_array_new_full(1, g_free);
g_ptr_array_add(secrets, g_strdup(NM_SETTING_WIREGUARD_PRIVATE_KEY));
}
for (i = 0; i < priv->peers_arr->len; i++) {
NMWireGuardPeer *peer = _peers_get(priv, i)->peer;
if (NM_FLAGS_HAS(peer->preshared_key_flags, NM_SETTING_SECRET_FLAG_NOT_REQUIRED))
continue;
if (peer->preshared_key_valid)
continue;
if (!peer->public_key_valid)
continue;
if (!secrets)
secrets = g_ptr_array_new_full(1, g_free);
g_ptr_array_add(secrets, peers_psk_get_secret_name_dup(peer->public_key));
}
return secrets;
}
static gboolean
clear_secrets(const NMSettInfoSetting * sett_info,
guint property_idx,
NMSetting * setting,
NMSettingClearSecretsWithFlagsFn func,
gpointer user_data)
{
if (nm_streq(sett_info->property_infos[property_idx].name, NM_SETTING_WIREGUARD_PEERS)) {
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
gboolean peers_changed = FALSE;
guint i, j;
j = 0;
for (i = 0; i < priv->peers_arr->len; i++) {
NMWireGuardPeer *peer = _peers_get(priv, i)->peer;
if (!peer->preshared_key)
continue;
if (func) {
gs_free char *name_free = NULL;
const char * name;
/* only stack-allocate (alloca) a few times. */
if (j++ < 5)
name = peers_psk_get_secret_name_a(peer->public_key, &name_free);
else {
name_free = peers_psk_get_secret_name_dup(peer->public_key);
name = name_free;
}
if (!func(setting, name, peer->preshared_key_flags, user_data))
continue;
}
{
nm_auto_unref_wgpeer NMWireGuardPeer *peer2 = NULL;
peer2 = nm_wireguard_peer_new_clone(peer, FALSE);
if (_peers_set(priv, peer2, i, FALSE))
peers_changed = TRUE;
}
}
if (peers_changed)
_peers_notify(setting);
return peers_changed;
}
return NM_SETTING_CLASS(nm_setting_wireguard_parent_class)
->clear_secrets(sett_info, property_idx, setting, func, user_data);
}
static int
update_one_secret(NMSetting *setting, const char *key, GVariant *value, GError **error)
{
NMSettingWireGuard * self = NM_SETTING_WIREGUARD(setting);
NMSettingWireGuardPrivate *priv;
gboolean has_changes = FALSE;
gboolean has_error = FALSE;
GVariantIter iter_peers;
GVariant * peer_var;
guint i_peer;
if (!nm_streq(key, NM_SETTING_WIREGUARD_PEERS)) {
return NM_SETTING_CLASS(nm_setting_wireguard_parent_class)
->update_one_secret(setting, key, value, error);
}
if (!g_variant_is_of_type(value, G_VARIANT_TYPE("aa{sv}"))) {
g_set_error_literal(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_PROPERTY_NOT_SECRET,
_("invalid peer secrets"));
g_prefix_error(error,
"%s.%s: ",
NM_SETTING_WIREGUARD_SETTING_NAME,
NM_SETTING_WIREGUARD_PEERS);
return NM_SETTING_UPDATE_SECRET_ERROR;
}
priv = NM_SETTING_WIREGUARD_GET_PRIVATE(self);
g_variant_iter_init(&iter_peers, value);
i_peer = 0;
while (g_variant_iter_next(&iter_peers, "@a{sv}", &peer_var)) {
_nm_unused gs_unref_variant GVariant *peer_var_unref = peer_var;
nm_auto_unref_wgpeer NMWireGuardPeer *peer = NULL;
PeerData * pd;
const char * cstr;
i_peer++;
if (!g_variant_lookup(peer_var, NM_WIREGUARD_PEER_ATTR_PUBLIC_KEY, "&s", &cstr)) {
if (!has_error) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_PROPERTY_NOT_SECRET,
_("peer #%u lacks public-key"),
i_peer - 1);
g_prefix_error(error,
"%s.%s: ",
NM_SETTING_WIREGUARD_SETTING_NAME,
NM_SETTING_WIREGUARD_PEERS);
has_error = TRUE;
}
continue;
}
pd = _peers_get_by_public_key(priv, cstr, TRUE);
if (!pd) {
if (!has_error) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_PROPERTY_NOT_SECRET,
_("non-existing peer '%s'"),
cstr);
g_prefix_error(error,
"%s.%s: ",
NM_SETTING_WIREGUARD_SETTING_NAME,
NM_SETTING_WIREGUARD_PEERS);
has_error = TRUE;
}
continue;
}
if (!g_variant_lookup(peer_var, NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY, "&s", &cstr)) {
/* no preshared-key. Ignore the rest.
*
* In particular, we don't reject all unknown fields. */
continue;
}
if (nm_streq0(cstr, nm_wireguard_peer_get_preshared_key(pd->peer)))
continue;
peer = nm_wireguard_peer_new_clone(pd->peer, FALSE);
nm_wireguard_peer_set_preshared_key(peer, cstr, TRUE);
if (!_peers_set(priv, peer, pd->idx, FALSE))
nm_assert_not_reached();
has_changes = TRUE;
}
if (has_error)
return NM_SETTING_UPDATE_SECRET_ERROR;
if (has_changes)
return NM_SETTING_UPDATE_SECRET_SUCCESS_MODIFIED;
return NM_SETTING_UPDATE_SECRET_SUCCESS_UNCHANGED;
}
static NMTernary
compare_property(const NMSettInfoSetting *sett_info,
guint property_idx,
NMConnection * con_a,
NMSetting * set_a,
NMConnection * con_b,
NMSetting * set_b,
NMSettingCompareFlags flags)
{
NMSettingWireGuardPrivate *a_priv;
NMSettingWireGuardPrivate *b_priv;
guint i;
if (nm_streq(sett_info->property_infos[property_idx].name, NM_SETTING_WIREGUARD_PEERS)) {
if (NM_FLAGS_HAS(flags, NM_SETTING_COMPARE_FLAG_INFERRABLE))
return NM_TERNARY_DEFAULT;
if (!set_b)
return TRUE;
a_priv = NM_SETTING_WIREGUARD_GET_PRIVATE(set_a);
b_priv = NM_SETTING_WIREGUARD_GET_PRIVATE(set_b);
if (a_priv->peers_arr->len != b_priv->peers_arr->len)
return FALSE;
for (i = 0; i < a_priv->peers_arr->len; i++) {
NMWireGuardPeer *a_peer = _peers_get(a_priv, i)->peer;
NMWireGuardPeer *b_peer = _peers_get(b_priv, i)->peer;
if (nm_wireguard_peer_cmp(a_peer, b_peer, flags) != 0)
return FALSE;
}
return TRUE;
}
return NM_SETTING_CLASS(nm_setting_wireguard_parent_class)
->compare_property(sett_info, property_idx, con_a, set_a, con_b, set_b, flags);
}
static void
duplicate_copy_properties(const NMSettInfoSetting *sett_info, NMSetting *src, NMSetting *dst)
{
NMSettingWireGuardPrivate *priv_src = NM_SETTING_WIREGUARD_GET_PRIVATE(src);
NMSettingWireGuardPrivate *priv_dst = NM_SETTING_WIREGUARD_GET_PRIVATE(dst);
guint i;
gboolean peers_changed = FALSE;
NM_SETTING_CLASS(nm_setting_wireguard_parent_class)
->duplicate_copy_properties(sett_info, src, dst);
/* We don't bother comparing the existing peers with what we are about to set.
* Always reset all. */
if (_peers_clear(priv_dst) > 0)
peers_changed = TRUE;
for (i = 0; i < priv_src->peers_arr->len; i++) {
if (_peers_append(priv_dst, _peers_get(priv_src, i)->peer, FALSE))
peers_changed = TRUE;
}
if (peers_changed)
_peers_notify(dst);
}
static void
enumerate_values(const NMSettInfoProperty *property_info,
NMSetting * setting,
NMSettingValueIterFn func,
gpointer user_data)
{
if (nm_streq(property_info->name, NM_SETTING_WIREGUARD_PEERS)) {
NMSettingWireGuardPrivate * priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
nm_auto_unset_gvalue GValue value = G_VALUE_INIT;
GPtrArray * ptr = NULL;
guint i;
if (priv->peers_arr && priv->peers_arr->len > 0) {
ptr = g_ptr_array_new_with_free_func((GDestroyNotify) nm_wireguard_peer_unref);
for (i = 0; i < priv->peers_arr->len; i++)
g_ptr_array_add(ptr, nm_wireguard_peer_ref(_peers_get(priv, i)->peer));
}
g_value_init(&value, G_TYPE_PTR_ARRAY);
g_value_take_boxed(&value, ptr);
func(setting, property_info->name, &value, 0, user_data);
return;
}
NM_SETTING_CLASS(nm_setting_wireguard_parent_class)
->enumerate_values(property_info, setting, func, user_data);
}
static gboolean
aggregate(NMSetting *setting, int type_i, gpointer arg)
{
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
NMConnectionAggregateType type = type_i;
NMSettingSecretFlags secret_flags;
guint i;
nm_assert(NM_IN_SET(type,
NM_CONNECTION_AGGREGATE_ANY_SECRETS,
NM_CONNECTION_AGGREGATE_ANY_SYSTEM_SECRET_FLAGS));
switch (type) {
case NM_CONNECTION_AGGREGATE_ANY_SECRETS:
if (priv->private_key)
goto out_done;
for (i = 0; i < priv->peers_arr->len; i++) {
if (nm_wireguard_peer_get_preshared_key(_peers_get(priv, i)->peer))
goto out_done;
}
break;
case NM_CONNECTION_AGGREGATE_ANY_SYSTEM_SECRET_FLAGS:
#if NM_MORE_ASSERTS
if (!nm_setting_get_secret_flags(setting,
NM_SETTING_WIREGUARD_PRIVATE_KEY,
&secret_flags,
NULL))
nm_assert_not_reached();
nm_assert(secret_flags == priv->private_key_flags);
#endif
if (priv->private_key_flags == NM_SETTING_SECRET_FLAG_NONE)
goto out_done;
for (i = 0; i < priv->peers_arr->len; i++) {
secret_flags = nm_wireguard_peer_get_preshared_key_flags(_peers_get(priv, i)->peer);
if (secret_flags == NM_SETTING_SECRET_FLAG_NONE)
goto out_done;
}
break;
}
return FALSE;
out_done:
*((gboolean *) arg) = TRUE;
return TRUE;
}
static gboolean
get_secret_flags(NMSetting * setting,
const char * secret_name,
NMSettingSecretFlags *out_flags,
GError ** error)
{
if (NM_STR_HAS_PREFIX(secret_name, NM_SETTING_WIREGUARD_PEERS ".")) {
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
gs_free char * public_key_free = NULL;
const char * public_key;
PeerData * pd;
public_key = peers_psk_get_secret_parse_a(secret_name, &public_key_free);
if (public_key && (pd = _peers_get_by_public_key(priv, public_key, FALSE))) {
NM_SET_OUT(out_flags, nm_wireguard_peer_get_preshared_key_flags(pd->peer));
return TRUE;
}
}
return NM_SETTING_CLASS(nm_setting_wireguard_parent_class)
->get_secret_flags(setting, secret_name, out_flags, error);
}
static gboolean
set_secret_flags(NMSetting * setting,
const char * secret_name,
NMSettingSecretFlags flags,
GError ** error)
{
if (NM_STR_HAS_PREFIX(secret_name, NM_SETTING_WIREGUARD_PEERS ".")) {
NMSettingWireGuard * self = NM_SETTING_WIREGUARD(setting);
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(self);
gs_free char * public_key_free = NULL;
const char * public_key;
PeerData * pd;
public_key = peers_psk_get_secret_parse_a(secret_name, &public_key_free);
if (public_key && (pd = _peers_get_by_public_key(priv, public_key, FALSE))) {
if (nm_wireguard_peer_get_preshared_key_flags(pd->peer) != flags) {
nm_auto_unref_wgpeer NMWireGuardPeer *peer = NULL;
peer = nm_wireguard_peer_new_clone(pd->peer, TRUE);
peer->preshared_key_flags = flags;
if (_peers_set(priv, peer, pd->idx, FALSE))
_peers_notify(self);
}
return TRUE;
}
}
return NM_SETTING_CLASS(nm_setting_wireguard_parent_class)
->set_secret_flags(setting, secret_name, flags, error);
}
static void
for_each_secret(NMSetting * setting,
const char * data_key,
GVariant * data_val,
gboolean remove_non_secrets,
_NMConnectionForEachSecretFunc callback,
gpointer callback_data,
GVariantBuilder * setting_builder)
{
NMSettingWireGuard * s_wg;
NMSettingWireGuardPrivate *priv;
GVariantBuilder peers_builder;
GVariantIter * peer_iter;
GVariantIter data_iter;
const char * key;
if (!nm_streq(data_key, NM_SETTING_WIREGUARD_PEERS)) {
NM_SETTING_CLASS(nm_setting_wireguard_parent_class)
->for_each_secret(setting,
data_key,
data_val,
remove_non_secrets,
callback,
callback_data,
setting_builder);
return;
}
if (!g_variant_is_of_type(data_val, G_VARIANT_TYPE("aa{sv}"))) {
/* invalid type. Silently ignore content as we cannot find secret-keys
* here. */
return;
}
s_wg = NM_SETTING_WIREGUARD(setting);
priv = NM_SETTING_WIREGUARD_GET_PRIVATE(s_wg);
g_variant_builder_init(&peers_builder, G_VARIANT_TYPE("aa{sv}"));
g_variant_iter_init(&data_iter, data_val);
while (g_variant_iter_next(&data_iter, "a{sv}", &peer_iter)) {
_nm_unused nm_auto_free_variant_iter GVariantIter *peer_iter_free = peer_iter;
gs_unref_variant GVariant *preshared_key = NULL;
PeerData * pd = NULL;
NMSettingSecretFlags secret_flags;
GVariant * val;
GVariantBuilder peer_builder;
g_variant_builder_init(&peer_builder, G_VARIANT_TYPE("a{sv}"));
while (g_variant_iter_next(peer_iter, "{&sv}", &key, &val)) {
_nm_unused gs_unref_variant GVariant *val_free = val;
if (nm_streq(key, NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY)) {
if (!preshared_key && g_variant_is_of_type(val, G_VARIANT_TYPE_STRING))
preshared_key = g_variant_ref(val);
continue;
}
if (nm_streq(key, NM_WIREGUARD_PEER_ATTR_PUBLIC_KEY)) {
if (!pd && g_variant_is_of_type(val, G_VARIANT_TYPE_STRING))
pd = _peers_get_by_public_key(priv, g_variant_get_string(val, NULL), TRUE);
} else if (remove_non_secrets)
continue;
g_variant_builder_add(&peer_builder, "{sv}", key, val);
}
if (pd && preshared_key) {
/* without specifying a public-key of an existing peer, the secret is
* ignored. */
secret_flags = nm_wireguard_peer_get_preshared_key_flags(pd->peer);
if (callback(secret_flags, callback_data))
g_variant_builder_add(&peer_builder,
"{sv}",
NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY,
preshared_key);
}
g_variant_builder_add(&peers_builder, "a{sv}", &peer_builder);
}
g_variant_builder_add(setting_builder,
"{sv}",
NM_SETTING_WIREGUARD_PEERS,
g_variant_builder_end(&peers_builder));
}
/*****************************************************************************/
static void
get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
{
NMSettingWireGuard * setting = NM_SETTING_WIREGUARD(object);
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
switch (prop_id) {
case PROP_FWMARK:
g_value_set_uint(value, priv->fwmark);
break;
case PROP_IP4_AUTO_DEFAULT_ROUTE:
g_value_set_enum(value, priv->ip4_auto_default_route);
break;
case PROP_IP6_AUTO_DEFAULT_ROUTE:
g_value_set_enum(value, priv->ip6_auto_default_route);
break;
case PROP_LISTEN_PORT:
g_value_set_uint(value, priv->listen_port);
break;
case PROP_MTU:
g_value_set_uint(value, priv->mtu);
break;
case PROP_PEER_ROUTES:
g_value_set_boolean(value, priv->peer_routes);
break;
case PROP_PRIVATE_KEY:
g_value_set_string(value, priv->private_key);
break;
case PROP_PRIVATE_KEY_FLAGS:
g_value_set_flags(value, priv->private_key_flags);
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
break;
}
}
static void
set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *pspec)
{
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(object);
const char * str;
switch (prop_id) {
case PROP_FWMARK:
priv->fwmark = g_value_get_uint(value);
break;
case PROP_IP4_AUTO_DEFAULT_ROUTE:
priv->ip4_auto_default_route = g_value_get_enum(value);
break;
case PROP_IP6_AUTO_DEFAULT_ROUTE:
priv->ip6_auto_default_route = g_value_get_enum(value);
break;
case PROP_LISTEN_PORT:
priv->listen_port = g_value_get_uint(value);
break;
case PROP_MTU:
priv->mtu = g_value_get_uint(value);
break;
case PROP_PEER_ROUTES:
priv->peer_routes = g_value_get_boolean(value);
break;
case PROP_PRIVATE_KEY:
nm_clear_pointer(&priv->private_key, nm_free_secret);
str = g_value_get_string(value);
if (str) {
if (nm_utils_base64secret_normalize(str,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&priv->private_key))
priv->private_key_valid = TRUE;
else {
priv->private_key = g_strdup(str);
priv->private_key_valid = FALSE;
}
}
break;
case PROP_PRIVATE_KEY_FLAGS:
priv->private_key_flags = g_value_get_flags(value);
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
break;
}
}
/*****************************************************************************/
static void
nm_setting_wireguard_init(NMSettingWireGuard *setting)
{
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting);
priv->peers_arr = g_ptr_array_new();
priv->peers_hash = g_hash_table_new(nm_pstr_hash, nm_pstr_equal);
priv->peer_routes = TRUE;
priv->ip4_auto_default_route = NM_TERNARY_DEFAULT;
priv->ip6_auto_default_route = NM_TERNARY_DEFAULT;
}
/**
* nm_setting_wireguard_new:
*
* Creates a new #NMSettingWireGuard object with default values.
*
* Returns: (transfer full): the new empty #NMSettingWireGuard object
*
* Since: 1.16
**/
NMSetting *
nm_setting_wireguard_new(void)
{
return g_object_new(NM_TYPE_SETTING_WIREGUARD, NULL);
}
static void
finalize(GObject *object)
{
NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(object);
nm_free_secret(priv->private_key);
_peers_clear(priv);
g_ptr_array_unref(priv->peers_arr);
g_hash_table_unref(priv->peers_hash);
G_OBJECT_CLASS(nm_setting_wireguard_parent_class)->finalize(object);
}
static void
nm_setting_wireguard_class_init(NMSettingWireGuardClass *klass)
{
GObjectClass * object_class = G_OBJECT_CLASS(klass);
NMSettingClass *setting_class = NM_SETTING_CLASS(klass);
GArray * properties_override = _nm_sett_info_property_override_create_array();
object_class->get_property = get_property;
object_class->set_property = set_property;
object_class->finalize = finalize;
setting_class->verify = verify;
setting_class->verify_secrets = verify_secrets;
setting_class->need_secrets = need_secrets;
setting_class->clear_secrets = clear_secrets;
setting_class->update_one_secret = update_one_secret;
setting_class->compare_property = compare_property;
setting_class->duplicate_copy_properties = duplicate_copy_properties;
setting_class->enumerate_values = enumerate_values;
setting_class->aggregate = aggregate;
setting_class->get_secret_flags = get_secret_flags;
setting_class->set_secret_flags = set_secret_flags;
setting_class->for_each_secret = for_each_secret;
/**
* NMSettingWireGuard:private-key:
*
* The 256 bit private-key in base64 encoding.
*
* Since: 1.16
**/
obj_properties[PROP_PRIVATE_KEY] =
g_param_spec_string(NM_SETTING_WIREGUARD_PRIVATE_KEY,
"",
"",
NULL,
G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS);
/**
* NMSettingWireGuard:private-key-flags:
*
* Flags indicating how to handle the #NMSettingWirelessSecurity:private-key
* property.
*
* Since: 1.16
**/
obj_properties[PROP_PRIVATE_KEY_FLAGS] =
g_param_spec_flags(NM_SETTING_WIREGUARD_PRIVATE_KEY_FLAGS,
"",
"",
NM_TYPE_SETTING_SECRET_FLAGS,
NM_SETTING_SECRET_FLAG_NONE,
G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
/**
* NMSettingWireGuard:fwmark:
*
* The use of fwmark is optional and is by default off. Setting it to 0
* disables it. Otherwise, it is a 32-bit fwmark for outgoing packets.
*
* Note that "ip4-auto-default-route" or "ip6-auto-default-route" enabled,
* implies to automatically choose a fwmark.
*
* Since: 1.16
**/
obj_properties[PROP_FWMARK] =
g_param_spec_uint(NM_SETTING_WIREGUARD_FWMARK,
"",
"",
0,
G_MAXUINT32,
0,
G_PARAM_READWRITE | NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS);
/**
* NMSettingWireGuard:listen-port:
*
* The listen-port. If listen-port is not specified, the port will be chosen
* randomly when the interface comes up.
*
* Since: 1.16
**/
obj_properties[PROP_LISTEN_PORT] =
g_param_spec_uint(NM_SETTING_WIREGUARD_LISTEN_PORT,
"",
"",
0,
65535,
0,
G_PARAM_READWRITE | NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS);
/**
* NMSettingWireGuard:peer-routes:
*
* Whether to automatically add routes for the AllowedIPs ranges
* of the peers. If %TRUE (the default), NetworkManager will automatically
* add routes in the routing tables according to ipv4.route-table and
* ipv6.route-table. Usually you want this automatism enabled.
* If %FALSE, no such routes are added automatically. In this case, the
* user may want to configure static routes in ipv4.routes and ipv6.routes,
* respectively.
*
* Note that if the peer's AllowedIPs is "0.0.0.0/0" or "::/0" and the profile's
* ipv4.never-default or ipv6.never-default setting is enabled, the peer route for
* this peer won't be added automatically.
*
* Since: 1.16
**/
obj_properties[PROP_PEER_ROUTES] = g_param_spec_boolean(
NM_SETTING_WIREGUARD_PEER_ROUTES,
"",
"",
TRUE,
G_PARAM_READWRITE | NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS);
/**
* NMSettingWireGuard:mtu:
*
* If non-zero, only transmit packets of the specified size or smaller,
* breaking larger packets up into multiple fragments.
*
* If zero a default MTU is used. Note that contrary to wg-quick's MTU
* setting, this does not take into account the current routes at the
* time of activation.
*
* Since: 1.16
**/
obj_properties[PROP_MTU] =
g_param_spec_uint(NM_SETTING_WIREGUARD_MTU,
"",
"",
0,
G_MAXUINT32,
0,
G_PARAM_READWRITE | NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS);
/**
* NMSettingWireGuard:ip4-auto-default-route:
*
* Whether to enable special handling of the IPv4 default route.
* If enabled, the IPv4 default route from wireguard.peer-routes
* will be placed to a dedicated routing-table and two policy routing rules
* will be added. The fwmark number is also used as routing-table for the default-route,
* and if fwmark is zero, an unused fwmark/table is chosen automatically.
* This corresponds to what wg-quick does with Table=auto and what WireGuard
* calls "Improved Rule-based Routing".
*
* Note that for this automatism to work, you usually don't want to set
* ipv4.gateway, because that will result in a conflicting default route.
*
* Leaving this at the default will enable this option automatically
* if ipv4.never-default is not set and there are any peers that use
* a default-route as allowed-ips.
*
* Since: 1.20
**/
obj_properties[PROP_IP4_AUTO_DEFAULT_ROUTE] = g_param_spec_enum(
NM_SETTING_WIREGUARD_IP4_AUTO_DEFAULT_ROUTE,
"",
"",
NM_TYPE_TERNARY,
NM_TERNARY_DEFAULT,
NM_SETTING_PARAM_FUZZY_IGNORE | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
/**
* NMSettingWireGuard:ip6-auto-default-route:
*
* Like ip4-auto-default-route, but for the IPv6 default route.
*
* Since: 1.20
**/
obj_properties[PROP_IP6_AUTO_DEFAULT_ROUTE] = g_param_spec_enum(
NM_SETTING_WIREGUARD_IP6_AUTO_DEFAULT_ROUTE,
"",
"",
NM_TYPE_TERNARY,
NM_TERNARY_DEFAULT,
NM_SETTING_PARAM_FUZZY_IGNORE | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
/* ---dbus---
* property: peers
* format: array of 'a{sv}'
* description: Array of dictionaries for the WireGuard peers.
* ---end---
*/
_nm_properties_override_dbus(
properties_override,
NM_SETTING_WIREGUARD_PEERS,
NM_SETT_INFO_PROPERT_TYPE(.dbus_type = NM_G_VARIANT_TYPE("aa{sv}"),
.to_dbus_fcn = _peers_dbus_only_synth,
.from_dbus_fcn = _peers_dbus_only_set, ));
g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
_nm_setting_class_commit_full(setting_class,
NM_META_SETTING_TYPE_WIREGUARD,
NULL,
properties_override);
}