noise: redesign preshared key mode

6 files changed, 52 insertions, 49 deletions

diff --git a/src/tools/completion/wg.bash-completion b/src/tools/completion/wg.bash-completion
index 355012c..5401bc3 100644
--- a/src/tools/completion/wg.bash-completion
+++ b/src/tools/completion/wg.bash-completion
@@ -21,7 +21,7 @@ _wg_completion() {
 	fi
 
 	if [[ $COMP_CWORD -eq 3 && ${COMP_WORDS[1]} == show && ${COMP_WORDS[2]} != interfaces ]]; then
-		COMPREPLY+=( $(compgen -W "public-key private-key preshared-key listen-port peers endpoints allowed-ips fwmark latest-handshakes persistent-keepalive transfer dump" -- "${COMP_WORDS[3]}") )
+		COMPREPLY+=( $(compgen -W "public-key private-key listen-port peers preshared-keys endpoints allowed-ips fwmark latest-handshakes persistent-keepalive transfer dump" -- "${COMP_WORDS[3]}") )
 		return
 	fi
 
@@ -39,7 +39,6 @@ _wg_completion() {
 		[[ ${COMP_WORDS[i]} == listen-port ]] && has_listen_port=1
 		[[ ${COMP_WORDS[i]} == fwmark ]] && has_fwmark=1
 		[[ ${COMP_WORDS[i]} == private-key ]] && has_private_key=1
-		[[ ${COMP_WORDS[i]} == preshared-key ]] && has_preshared_key=1
 		[[ ${COMP_WORDS[i]} == peer ]] && { has_peer=$i; break; }
 	done
 	if [[ $has_peer -eq 0 ]]; then
@@ -47,7 +46,6 @@ _wg_completion() {
 			[[ $has_listen_port -eq 1 ]] || words+=( listen-port )
 			[[ $has_fwmark -eq 1 ]] || words+=( fwmark )
 			[[ $has_private_key -eq 1 ]] || words+=( private-key )
-			[[ $has_preshared_key -eq 1 ]] || words+=( preshared-key )
 			words+=( peer )
 			COMPREPLY+=( $(compgen -W "${words[*]}" -- "${COMP_WORDS[COMP_CWORD]}") )
 		elif [[ ${COMP_WORDS[COMP_CWORD-1]} == *-key ]]; then
@@ -70,6 +68,7 @@ _wg_completion() {
 			has_endpoint=0
 			has_persistent_keepalive=0
 			has_allowed_ips=0
+			has_preshared_key=0
 			[[ ${COMP_WORDS[i+2]} == = ]] && ((i+=2)) || ((i++))
 			continue
 		fi
@@ -77,6 +76,7 @@ _wg_completion() {
 		[[ ${COMP_WORDS[i]} == endpoint ]] && has_endpoint=1
 		[[ ${COMP_WORDS[i]} == persistent-keepalive ]] && has_persistent_keepalive=1
 		[[ ${COMP_WORDS[i]} == allowed-ips ]] && has_allowed_ips=1
+		[[ ${COMP_WORDS[i]} == preshared-key ]] && has_preshared_key=1
 
 		[[ ${COMP_WORDS[i]} == remove ]] || ((i++))
 	done
@@ -84,6 +84,7 @@ _wg_completion() {
 	((COMP_CWORD == j)) || return
 
 	if [[ $has_remove -ne 1 ]]; then
+		[[ $has_preshared_key -eq 1 ]] || words+=( preshared-key )
 		[[ $has_endpoint -eq 1 ]] || words+=( endpoint )
 		[[ $has_allowed_ips -eq 1 ]] || words+=( allowed-ips )
 		[[ $has_persistent_keepalive -eq 1 ]] || words+=( persistent-keepalive )
diff --git a/src/tools/config.c b/src/tools/config.c
index c00e91c..a129088 100644
--- a/src/tools/config.c
+++ b/src/tools/config.c
@@ -323,10 +323,6 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 			ret = parse_key(ctx->buf.dev->private_key, value);
 			if (!ret)
 				memset(ctx->buf.dev->private_key, 0, WG_KEY_LEN);
-		} else if (key_match("PresharedKey")) {
-			ret = parse_key(ctx->buf.dev->preshared_key, value);
-			if (!ret)
-				memset(ctx->buf.dev->preshared_key, 0, WG_KEY_LEN);
 		} else
 			goto error;
 	} else if (ctx->is_peer_section) {
@@ -338,7 +334,11 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 			ret = parse_ipmasks(&ctx->buf, ctx->peer_offset, value);
 		else if (key_match("PersistentKeepalive"))
 			ret = parse_persistent_keepalive(&peer_from_offset(ctx->buf.dev, ctx->peer_offset)->persistent_keepalive_interval, value);
-		else
+		else if (key_match("PresharedKey")) {
+			ret = parse_key(peer_from_offset(ctx->buf.dev, ctx->peer_offset)->preshared_key, value);
+			if (!ret)
+				memset(peer_from_offset(ctx->buf.dev, ctx->peer_offset)->preshared_key, 0, WG_KEY_LEN);
+		} else
 			goto error;
 	} else
 		goto error;
@@ -408,8 +408,6 @@ bool config_read_finish(struct config_ctx *ctx)
 		fprintf(stderr, "No private key configured\n");
 		goto err;
 	}
-	if (ctx->buf.dev->flags & WGDEVICE_REPLACE_PEERS && !key_is_valid(ctx->buf.dev->preshared_key))
-		ctx->buf.dev->flags |= WGDEVICE_REMOVE_PRESHARED_KEY;
 	if (ctx->buf.dev->flags & WGDEVICE_REPLACE_PEERS && !ctx->buf.dev->fwmark)
 		ctx->buf.dev->flags |= WGDEVICE_REMOVE_FWMARK;
 
@@ -508,21 +506,6 @@ bool config_read_cmd(struct wgdevice **device, char *argv[], int argc)
 				goto error;
 			argv += 2;
 			argc -= 2;
-		} else if (!strcmp(argv[0], "preshared-key") && argc >= 2 && !buf.dev->num_peers) {
-			char *line;
-			int ret = read_line(&line, argv[1]);
-			if (ret == 0) {
-				if (!parse_key(buf.dev->preshared_key, line)) {
-					free(line);
-					goto error;
-				}
-				free(line);
-			} else if (ret == 1)
-				buf.dev->flags |= WGDEVICE_REMOVE_PRESHARED_KEY;
-			else
-				goto error;
-			argv += 2;
-			argc -= 2;
 		} else if (!strcmp(argv[0], "peer") && argc >= 2) {
 			peer_offset = buf.pos;
 			if (use_space(&buf, sizeof(struct wgpeer)) < 0) {
@@ -560,6 +543,22 @@ bool config_read_cmd(struct wgdevice **device, char *argv[], int argc)
 				goto error;
 			argv += 2;
 			argc -= 2;
+		} else if (!strcmp(argv[0], "preshared-key") && argc >= 2 && buf.dev->num_peers) {
+			char *line;
+			int ret = read_line(&line, argv[1]);
+			if (ret == 0) {
+				if (!parse_key(peer_from_offset(buf.dev, peer_offset)->preshared_key, line)) {
+					free(line);
+					goto error;
+				}
+				free(line);
+			} else if (ret == 1) {
+				free(line);
+				buf.dev->flags |= WGPEER_REMOVE_PRESHARED_KEY;
+			} else
+				goto error;
+			argv += 2;
+			argc -= 2;
 		} else {
 			fprintf(stderr, "Invalid argument: %s\n", argv[0]);
 			goto error;
diff --git a/src/tools/set.c b/src/tools/set.c
index 5e4291f..497edcc 100644
--- a/src/tools/set.c
+++ b/src/tools/set.c
@@ -13,7 +13,7 @@ int set_main(int argc, char *argv[])
 	int ret = 1;
 
 	if (argc < 3) {
-		fprintf(stderr, "Usage: %s %s <interface> [listen-port <port>] [fwmark <mark>] [private-key <file path>] [peer <base64 public key> [remove] [endpoint <ip>:<port>] [persistent-keepalive <interval seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...] ]...\n", PROG_NAME, argv[0]);
+		fprintf(stderr, "Usage: %s %s <interface> [listen-port <port>] [fwmark <mark>] [private-key <file path>] [peer <base64 public key> [remove] [preshared-key <file path>] [endpoint <ip>:<port>] [persistent-keepalive <interval seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...] ]...\n", PROG_NAME, argv[0]);
 		return 1;
 	}
 
diff --git a/src/tools/show.c b/src/tools/show.c
index 8134883..7f67dba 100644
--- a/src/tools/show.c
+++ b/src/tools/show.c
@@ -201,7 +201,7 @@ static char *bytes(uint64_t b)
 static const char *COMMAND_NAME = NULL;
 static void show_usage(void)
 {
-	fprintf(stderr, "Usage: %s %s { <interface> | all | interfaces } [public-key | private-key | preshared-key | listen-port | fwmark | peers | endpoints | allowed-ips | latest-handshakes | transfer | persistent-keepalive | dump]\n", PROG_NAME, COMMAND_NAME);
+	fprintf(stderr, "Usage: %s %s { <interface> | all | interfaces } [public-key | private-key | listen-port | fwmark | peers | preshared-keys | endpoints | allowed-ips | latest-handshakes | transfer | persistent-keepalive | dump]\n", PROG_NAME, COMMAND_NAME);
 }
 
 static void pretty_print(struct wgdevice *device)
@@ -216,8 +216,6 @@ static void pretty_print(struct wgdevice *device)
 		terminal_printf("  " TERMINAL_BOLD "public key" TERMINAL_RESET ": %s\n", key(device->public_key));
 	if (memcmp(device->private_key, zero, WG_KEY_LEN))
 		terminal_printf("  " TERMINAL_BOLD "private key" TERMINAL_RESET ": %s\n", masked_key(device->private_key));
-	if (memcmp(device->preshared_key, zero, WG_KEY_LEN))
-		terminal_printf("  " TERMINAL_BOLD "preshared key" TERMINAL_RESET ": %s\n", masked_key(device->preshared_key));
 	if (device->port)
 		terminal_printf("  " TERMINAL_BOLD "listening port" TERMINAL_RESET ": %u\n", device->port);
 	if (device->fwmark)
@@ -228,6 +226,8 @@ static void pretty_print(struct wgdevice *device)
 	}
 	for_each_wgpeer(device, peer, i) {
 		terminal_printf(TERMINAL_FG_YELLOW TERMINAL_BOLD "peer" TERMINAL_RESET ": " TERMINAL_FG_YELLOW "%s" TERMINAL_RESET "\n", key(peer->public_key));
+		if (memcmp(peer->preshared_key, zero, WG_KEY_LEN))
+			terminal_printf("  " TERMINAL_BOLD "preshared key" TERMINAL_RESET ": %s\n", masked_key(peer->preshared_key));
 		if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6)
 			terminal_printf("  " TERMINAL_BOLD "endpoint" TERMINAL_RESET ": %s\n", endpoint(&peer->endpoint.addr));
 		terminal_printf("  " TERMINAL_BOLD "allowed ips" TERMINAL_RESET ": ");
@@ -260,7 +260,6 @@ static void dump_print(struct wgdevice *device, bool with_interface)
 		printf("%s\t", device->interface);
 	printf("%s\t", key(device->private_key));
 	printf("%s\t", key(device->public_key));
-	printf("%s\t", key(device->preshared_key));
 	printf("%u\t", device->port);
 	if (device->fwmark)
 		printf("0x%x\n", device->fwmark);
@@ -270,6 +269,7 @@ static void dump_print(struct wgdevice *device, bool with_interface)
 		if (with_interface)
 			printf("%s\t", device->interface);
 		printf("%s\t", key(peer->public_key));
+		printf("%s\t", key(peer->preshared_key));
 		if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6)
 			printf("%s\t", endpoint(&peer->endpoint.addr));
 		else
@@ -301,10 +301,6 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int
 		if (with_interface)
 			printf("%s\t", device->interface);
 		printf("%s\n", key(device->private_key));
-	} else if (!strcmp(param, "preshared-key")) {
-		if (with_interface)
-			printf("%s\t", device->interface);
-		printf("%s\n", key(device->preshared_key));
 	} else if (!strcmp(param, "listen-port")) {
 		if (with_interface)
 			printf("%s\t", device->interface);
@@ -358,6 +354,13 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int
 			else
 				printf("%s\toff\n", key(peer->public_key));
 		}
+	} else if (!strcmp(param, "preshared-keys")) {
+		for_each_wgpeer(device, peer, i) {
+			if (with_interface)
+				printf("%s\t", device->interface);
+			printf("%s\t", key(peer->public_key));
+			printf("%s\n", key(peer->preshared_key));
+		}
 	} else if (!strcmp(param, "peers")) {
 		for_each_wgpeer(device, peer, i) {
 			if (with_interface)
diff --git a/src/tools/showconf.c b/src/tools/showconf.c
index da48486..039abee 100644
--- a/src/tools/showconf.c
+++ b/src/tools/showconf.c
@@ -50,14 +50,14 @@ int showconf_main(int argc, char *argv[])
 		key_to_base64(base64, device->private_key);
 		printf("PrivateKey = %s\n", base64);
 	}
-	if (memcmp(device->preshared_key, zero, WG_KEY_LEN)) {
-		key_to_base64(base64, device->preshared_key);
-		printf("PresharedKey = %s\n", base64);
-	}
 	printf("\n");
 	for_each_wgpeer(device, peer, i) {
 		key_to_base64(base64, peer->public_key);
 		printf("[Peer]\nPublicKey = %s\n", base64);
+		if (memcmp(peer->preshared_key, zero, WG_KEY_LEN)) {
+			key_to_base64(base64, peer->preshared_key);
+			printf("PresharedKey = %s\n", base64);
+		}
 		if (peer->num_ipmasks)
 			printf("AllowedIPs = ");
 		for_each_wgipmask(peer, ipmask, j) {
diff --git a/src/tools/wg.8 b/src/tools/wg.8
index 2aa800e..1517432 100644
--- a/src/tools/wg.8
+++ b/src/tools/wg.8
@@ -36,7 +36,7 @@ Sub-commands that take an INTERFACE must be passed a WireGuard interface.
 .SH COMMANDS
 
 .TP
-\fBshow\fP { \fI<interface>\fP | \fIall\fP | \fIinterfaces\fP } [\fIpublic-key\fP | \fIprivate-key\fP | \fIpreshared-key\fP | \fIlisten-port\fP | \fIfwmark\fP | \fIpeers\fP | \fIendpoints\fP | \fIallowed-ips\fP | \fIlatest-handshakes\fP | \fIpersistent-keepalive\fP | \fItransfer\fP | \fIdump\fP]
+\fBshow\fP { \fI<interface>\fP | \fIall\fP | \fIinterfaces\fP } [\fIpublic-key\fP | \fIprivate-key\fP | \fIlisten-port\fP | \fIfwmark\fP | \fIpeers\fP | \fIpreshared-keys\fP | \fIendpoints\fP | \fIallowed-ips\fP | \fIlatest-handshakes\fP | \fIpersistent-keepalive\fP | \fItransfer\fP | \fIdump\fP]
 Shows current WireGuard configuration of specified \fI<interface>\fP.
 If no \fI<interface>\fP is specified, \fI<interface>\fP defaults to \fIall\fP.
 If \fIinterfaces\fP is specified, prints a list of all WireGuard interfaces,
@@ -46,16 +46,16 @@ meant for the terminal. Otherwise, prints specified information grouped by
 newlines and tabs, meant to be used in scripts. For this script-friendly display,
 if \fIall\fP is specified, then the first field for all categories of information
 is the interface name. If \fPdump\fP is specified, then several lines are printed;
-the first contains in order separated by tab: private-key, public-key, preshared-key,
-listen-port, fwmark. Subsequent lines are printed for each peer and contain in order
-separated by tab: public-key, endpoint, allowed-ips, latest-handshake, transfer-rx,
-transfer-tx, persistent-keepalive.
+the first contains in order separated by tab: private-key, public-key, listen-port,
+fwmark. Subsequent lines are printed for each peer and contain in order separated
+by tab: public-key, preshared-key, endpoint, allowed-ips, latest-handshake,
+transfer-rx, transfer-tx, persistent-keepalive.
 .TP
 \fBshowconf\fP \fI<interface>\fP
 Shows the current configuration of \fI<interface>\fP in the format described
 by \fICONFIGURATION FILE FORMAT\fP below.
 .TP
-\fBset\fP \fI<interface>\fP [\fIlisten-port\fP \fI<port>\fP] [\fIfwmark\fP \fI<fwmark>\fP] [\fIprivate-key\fP \fI<file-path>\fP] [\fIpreshared-key\fP \fI<file-path>\fP] [\fIpeer\fP \fI<base64-public-key>\fP [\fIremove\fP] [\fIendpoint\fP \fI<ip>:<port>\fP] [\fIpersistent-keepalive\fP \fI<interval seconds>\fP] [\fIallowed-ips\fP \fI<ip1>/<cidr1>\fP[,\fI<ip2>/<cidr2>\fP]...] ]...
+\fBset\fP \fI<interface>\fP [\fIlisten-port\fP \fI<port>\fP] [\fIfwmark\fP \fI<fwmark>\fP] [\fIprivate-key\fP \fI<file-path>\fP] [\fIpeer\fP \fI<base64-public-key>\fP [\fIremove\fP] [\fIpreshared-key\fP \fI<file-path>\fP] [\fIendpoint\fP \fI<ip>:<port>\fP] [\fIpersistent-keepalive\fP \fI<interval seconds>\fP] [\fIallowed-ips\fP \fI<ip1>/<cidr1>\fP[,\fI<ip2>/<cidr2>\fP]...] ]...
 Sets configuration values for the specified \fI<interface>\fP. Multiple
 \fIpeer\fPs may be specified, and if the \fIremove\fP argument is given
 for a peer, that peer is removed, not configured. If \fIlisten-port\fP
@@ -126,11 +126,6 @@ The \fIInterface\fP section may contain the following fields:
 .IP \(bu
 PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required.
 .IP \(bu
-PresharedKey \(em a base64 preshared key generated by \fIwg genpsk\fP. Optional,
-and may be omitted. This option adds an additional layer of symmetric-key
-cryptography to be mixed into the already existing public-key cryptography,
-for post-quantum resistance.
-.IP \(bu
 ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen
 randomly.
 .IP \(bu
@@ -143,6 +138,11 @@ PublicKey \(em a base64 public key calculated by \fIwg pubkey\fP from a
 private key, and usually transmitted out of band to the author of the
 configuration file. Required.
 .IP \(bu
+PresharedKey \(em a base64 preshared key generated by \fIwg genpsk\fP. Optional,
+and may be omitted. This option adds an additional layer of symmetric-key
+cryptography to be mixed into the already existing public-key cryptography,
+for post-quantum resistance.
+.IP \(bu
 AllowedIPs \(em a comma-separated list of ip (v4 or v6) addresses with
 CIDR masks from which this peer is allowed to send incoming traffic and
 to which outgoing traffic for this peer is directed. The catch-all