Browse Source

Improved private key handling (security)

pull/1087/head
billz 1 year ago
parent
commit
4515ac95fb
  1. 1
      ajax/networking/get_wgkey.php
  2. 1
      app/js/custom.js
  3. 8
      includes/wireguard.php
  4. 1
      templates/wg/general.php
  5. 1
      templates/wg/peers.php

1
ajax/networking/get_wgkey.php

@ -15,7 +15,6 @@ if (isset($entity)) {
exec("sudo wg genkey | tee $privkey_tmp | wg pubkey > $pubkey_tmp", $return);
$wgdata['pubkey'] = str_replace("\n",'',file_get_contents($pubkey_tmp));
$wgdata['privkey'] = str_replace("\n",'',file_get_contents($privkey_tmp));
exec("sudo mv $privkey_tmp $privkey", $return);
exec("sudo mv $pubkey_tmp $pubkey", $return);

1
app/js/custom.js

@ -357,7 +357,6 @@ $('.wg-keygen').click(function(){
$.post('ajax/networking/get_wgkey.php',{'entity':entity_pub.attr('name') },function(data){
var jsonData = JSON.parse(data);
entity_pub.val(jsonData.pubkey);
entity_priv.val(jsonData.privkey);
$('#' + updated).removeClass('check-hidden').addClass('check-updated').delay(500).animate({ opacity: 1 }, 700);
})
})

8
includes/wireguard.php

@ -110,11 +110,15 @@ function SaveWireGuardConfig($status)
}
// Save settings
if ($good_input) {
// fetch private keys from filesytem
$wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
$wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
// server (wg0.conf)
$config[] = '[Interface]';
$config[] = 'Address = '.$_POST['wg_srvipaddress'];
$config[] = 'ListenPort = '.$_POST['wg_srvport'];
$config[] = 'PrivateKey = '.$_POST['wg_srvprivkey'];
$config[] = 'PrivateKey = '.$wg_srvprivkey;
$config[] = 'PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE';
$config[] = 'PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE';
$config[] = '';
@ -139,7 +143,7 @@ function SaveWireGuardConfig($status)
if ($_POST['wg_pendpoint'] !== '') {
$config[] = 'Address = '.trim($_POST['wg_pendpoint']);
}
$config[] = 'PrivateKey = '.$_POST['wg_peerprivkey'];
$config[] = 'PrivateKey = '.$wg_peerprivkey;
$config[] = '';
$config[] = '[Peer]';
$config[] = 'PublicKey = '.$_POST['wg-server'];

1
templates/wg/general.php

@ -24,7 +24,6 @@
<button class="btn btn-outline-secondary rounded-right wg-keygen" type="button"><i class="fas fa-magic"></i></button>
<span id="wg-server-pubkey-status" class="input-group-addon check-hidden ml-2 mt-1"><i class="fas fa-check"></i></span>
</div>
<input type="hidden" name="wg_srvprivkey" value="<?php echo htmlspecialchars($wg_srvprivkey, ENT_QUOTES); ?>" />
</div>
</div>

1
templates/wg/peers.php

@ -22,7 +22,6 @@
<button class="btn btn-outline-secondary rounded-right wg-keygen" type="button"><i class="fas fa-magic"></i></button>
<span id="wg-peer-pubkey-status" class="input-group-addon check-hidden ml-2 mt-1"><i class="fas fa-check"></i></span>
</div>
<input type="hidden" name="wg_peerprivkey" value="<?php echo htmlspecialchars($wg_peerprivkey, ENT_QUOTES); ?>" />
</div>
</div>

Loading…
Cancel
Save