Improved private key handling (security)

2 years ago · 4515ac95fb
5 changed files with 6 additions and 6 deletions
--- a/ajax/networking/get_wgkey.php
+++ b/ajax/networking/get_wgkey.php
@ -15,7 +15,6 @@ if (isset($entity)) {
     
    exec("sudo wg genkey | tee $privkey_tmp | wg pubkey > $pubkey_tmp", $return);
    $wgdata['pubkey'] = str_replace("\n",'',file_get_contents($pubkey_tmp));
-    $wgdata['privkey'] = str_replace("\n",'',file_get_contents($privkey_tmp));
    exec("sudo mv $privkey_tmp $privkey", $return);
    exec("sudo mv $pubkey_tmp $pubkey", $return);

--- a/app/js/custom.js
+++ b/app/js/custom.js
@ -357,7 +357,6 @@ $('.wg-keygen').click(function(){
    $.post('ajax/networking/get_wgkey.php',{'entity':entity_pub.attr('name') },function(data){
        var jsonData = JSON.parse(data);
        entity_pub.val(jsonData.pubkey);
-        entity_priv.val(jsonData.privkey);
        $('#' + updated).removeClass('check-hidden').addClass('check-updated').delay(500).animate({ opacity: 1 }, 700);
    })
 })
--- a/includes/wireguard.php
+++ b/includes/wireguard.php
@ -110,11 +110,15 @@ function SaveWireGuardConfig($status)
    }
    // Save settings
    if ($good_input) {
+        // fetch private keys from filesytem
+        $wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
+        $wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
+
        // server (wg0.conf)
        $config[] = '[Interface]';
        $config[] = 'Address = '.$_POST['wg_srvipaddress'];
        $config[] = 'ListenPort = '.$_POST['wg_srvport'];
-        $config[] = 'PrivateKey = '.$_POST['wg_srvprivkey'];
+        $config[] = 'PrivateKey = '.$wg_srvprivkey;
        $config[] = 'PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE';
        $config[] = 'PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE';
        $config[] = '';
@ -139,7 +143,7 @@ function SaveWireGuardConfig($status)
        if ($_POST['wg_pendpoint'] !== '') {
            $config[] = 'Address = '.trim($_POST['wg_pendpoint']);
        }
-        $config[] = 'PrivateKey = '.$_POST['wg_peerprivkey'];
+        $config[] = 'PrivateKey = '.$wg_peerprivkey;
        $config[] = '';
        $config[] = '[Peer]';
        $config[] = 'PublicKey = '.$_POST['wg-server'];
--- a/templates/wg/general.php
+++ b/templates/wg/general.php
@ -24,7 +24,6 @@
              <button class="btn btn-outline-secondary rounded-right wg-keygen" type="button"><i class="fas fa-magic"></i></button>
              <span id="wg-server-pubkey-status" class="input-group-addon check-hidden ml-2 mt-1"><i class="fas fa-check"></i></span>
            </div>
-            <input type="hidden" name="wg_srvprivkey" value="<?php echo htmlspecialchars($wg_srvprivkey, ENT_QUOTES); ?>" />
          </div>
        </div>

--- a/templates/wg/peers.php
+++ b/templates/wg/peers.php
@ -22,7 +22,6 @@
            <button class="btn btn-outline-secondary rounded-right wg-keygen" type="button"><i class="fas fa-magic"></i></button>
            <span id="wg-peer-pubkey-status" class="input-group-addon check-hidden ml-2 mt-1"><i class="fas fa-check"></i></span>
          </div>
-          <input type="hidden" name="wg_peerprivkey" value="<?php echo htmlspecialchars($wg_peerprivkey, ENT_QUOTES); ?>" />
        </div>
      </div>