libnm: add NMWireGuardPeer and libnm support for peers

clients/common/nm-secret-agent-simple.c

@@ -214,6 +214,32 @@ _secret_real_new_vpn_secret (const char *pretty_name,
 	return &real->base;
 }
 
+static NMSecretAgentSimpleSecret *
+_secret_real_new_wireguard_peer_psk (NMSettingWireGuard *s_wg,
+                                     const char *public_key,
+                                     const char *preshared_key)
+{
+	SecretReal *real;
+
+	nm_assert (NM_IS_SETTING_WIREGUARD (s_wg));
+	nm_assert (public_key);
+
+	real = g_slice_new (SecretReal);
+	*real = (SecretReal) {
+		.base.secret_type        = NM_SECRET_AGENT_SECRET_TYPE_WIREGUARD_PEER_PSK,
+		.base.pretty_name        = g_strdup_printf (_("Preshared-key for %s"),
+		                                            public_key),
+		.base.entry_id           = g_strdup_printf (NM_SETTING_WIREGUARD_SETTING_NAME"."NM_SETTING_WIREGUARD_PEERS".%s."NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY,
+		                                            public_key),
+		.base.value              = g_strdup (preshared_key),
+		.base.is_secret          = TRUE,
+		.base.no_prompt_entry_id = TRUE,
+		.setting                 = NM_SETTING (g_object_ref (s_wg)),
+		.property                = g_strdup (public_key),
+	};
+	return &real->base;
+}
+
 /*****************************************************************************/
 
 static gboolean
@@ -464,19 +490,37 @@ add_wireguard_secrets (RequestData *request,
 	}
 
 	if (request->hints) {
+
 		for (i = 0; request->hints[i]; i++) {
+			NMWireGuardPeer *peer;
 			const char *name = request->hints[i];
-			gs_free char *peer_name = NULL;
+			gs_free char *public_key = NULL;
 
 			if (nm_streq (name, NM_SETTING_WIREGUARD_PRIVATE_KEY))
 				continue;
 
-			/* TODO: add support for WireGuard peers and their preshared-key. */
+			if (NM_STR_HAS_PREFIX (name, NM_SETTING_WIREGUARD_PEERS".")) {
-			g_set_error (error, NM_SECRET_AGENT_ERROR, NM_SECRET_AGENT_ERROR_FAILED,
+				const char *tmp;
-			             _("Cannot service unknown WireGuard hint '%s' for secrets request %s"),
+
-			             name,
+				tmp = &name[NM_STRLEN (NM_SETTING_WIREGUARD_PEERS".")];
-			             request->request_id);
+				if (NM_STR_HAS_SUFFIX (tmp, "."NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY)) {
-			return FALSE;
+					public_key = g_strndup (tmp,
+					                       strlen (tmp) - NM_STRLEN ("."NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY));
+				}
+			}
+
+			if (!public_key)
+				continue;
+
+			peer = nm_setting_wireguard_get_peer_by_public_key (s_wg, public_key, NULL);
+
+			g_ptr_array_add (secrets, _secret_real_new_wireguard_peer_psk (s_wg,
+			                                                               (  peer
+			                                                                ? nm_wireguard_peer_get_public_key (peer)
+			                                                                : public_key),
+			                                                               (  peer
+			                                                                ? nm_wireguard_peer_get_preshared_key (peer)
+			                                                                : NULL)));
 		}
 	}
 
@@ -1034,10 +1078,13 @@ nm_secret_agent_simple_response (NMSecretAgentSimple *self,
 	if (secrets) {
 		GVariantBuilder conn_builder, *setting_builder;
 		GVariantBuilder vpn_secrets_builder;
+		GVariantBuilder wg_secrets_builder;
+		GVariantBuilder wg_peer_builder;
 		GHashTable *settings;
 		GHashTableIter iter;
 		const char *name;
 		gboolean has_vpn = FALSE;
+		gboolean has_wg = FALSE;
 
 		settings = g_hash_table_new (nm_str_hash, g_str_equal);
 		for (i = 0; i < secrets->len; i++) {
@@ -1065,6 +1112,19 @@ nm_secret_agent_simple_response (NMSecretAgentSimple *self,
 				g_variant_builder_add (&vpn_secrets_builder, "{ss}",
 				                       secret->property, secret->base.value);
 				break;
+			case NM_SECRET_AGENT_SECRET_TYPE_WIREGUARD_PEER_PSK:
+				if (!has_wg) {
+					g_variant_builder_init (&wg_secrets_builder, G_VARIANT_TYPE ("aa{sv}"));
+					has_wg = TRUE;
+				}
+				g_variant_builder_init (&wg_peer_builder, G_VARIANT_TYPE ("a{sv}"));
+				g_variant_builder_add (&wg_peer_builder, "{sv}",
+				                       NM_WIREGUARD_PEER_ATTR_PUBLIC_KEY, g_variant_new_string (secret->property));
+				g_variant_builder_add (&wg_peer_builder, "{sv}",
+				                       NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY, g_variant_new_string (secret->base.value));
+				g_variant_builder_add (&wg_secrets_builder, "a{sv}",
+				                       &wg_peer_builder);
+				break;
 			}
 		}
 
@@ -1074,6 +1134,12 @@ nm_secret_agent_simple_response (NMSecretAgentSimple *self,
 			                       g_variant_builder_end (&vpn_secrets_builder));
 		}
 
+		if (has_wg) {
+			g_variant_builder_add (setting_builder, "{sv}",
+			                       NM_SETTING_WIREGUARD_PEERS,
+			                       g_variant_builder_end (&wg_secrets_builder));
+		}
+
 		g_variant_builder_init (&conn_builder, NM_VARIANT_TYPE_CONNECTION);
 		g_hash_table_iter_init (&iter, settings);
 		while (g_hash_table_iter_next (&iter, (gpointer *) &name, (gpointer *) &setting_builder))

clients/common/nm-secret-agent-simple.h

@@ -25,6 +25,7 @@ typedef enum {
 	NM_SECRET_AGENT_SECRET_TYPE_PROPERTY,
 	NM_SECRET_AGENT_SECRET_TYPE_SECRET,
 	NM_SECRET_AGENT_SECRET_TYPE_VPN_SECRET,
+	NM_SECRET_AGENT_SECRET_TYPE_WIREGUARD_PEER_PSK,
 } NMSecretAgentSecretType;
 
 typedef struct {

libnm-core/nm-core-internal.h

@@ -634,6 +634,15 @@ NM_AUTO_DEFINE_FCN_VOID0 (NMSockAddrEndpoint *, _nm_auto_unref_sockaddrendpoint,
 
 /*****************************************************************************/
 
+NMSockAddrEndpoint *_nm_wireguard_peer_get_endpoint (const NMWireGuardPeer *self);
+void _nm_wireguard_peer_set_endpoint (NMWireGuardPeer *self,
+                                      NMSockAddrEndpoint *endpoint);
+
+void _nm_wireguard_peer_set_public_key_bin (NMWireGuardPeer *self,
+                                            const guint8 public_key[static NM_WIREGUARD_PUBLIC_KEY_LEN]);
+
+/*****************************************************************************/
+
 typedef struct _NMSettInfoSetting  NMSettInfoSetting;
 typedef struct _NMSettInfoProperty NMSettInfoProperty;
 
@@ -769,6 +778,9 @@ gboolean _nm_connection_find_secret (NMConnection *self,
 
 /*****************************************************************************/
 
+#define nm_auto_unref_wgpeer nm_auto(_nm_auto_unref_wgpeer)
+NM_AUTO_DEFINE_FCN_VOID0 (NMWireGuardPeer *, _nm_auto_unref_wgpeer, nm_wireguard_peer_unref)
+
 gboolean _nm_utils_wireguard_decode_key (const char *base64_key,
                                          gsize required_key_len,
                                          guint8 *out_key);

libnm-core/nm-keyfile-utils.h

@@ -25,7 +25,8 @@
 #error Cannot use this header.
 #endif
 
-#define NM_KEYFILE_GROUP_VPN_SECRETS "vpn-secrets"
+#define NM_KEYFILE_GROUP_VPN_SECRETS          "vpn-secrets"
+#define NM_KEYFILE_GROUPPREFIX_WIREGUARD_PEER "wireguard-peer."
 
 const char *nm_keyfile_plugin_get_alias_for_setting_name (const char *setting_name);
 

libnm-core/nm-keyfile.c

@@ -32,6 +32,7 @@
 #include <linux/pkt_sched.h>
 
 #include "nm-utils/nm-secret-utils.h"
+#include "systemd/nm-sd-utils-shared.h"
 #include "nm-common-macros.h"
 #include "nm-core-internal.h"
 #include "nm-keyfile-utils.h"
@@ -2901,6 +2902,137 @@ out:
 		nm_connection_add_setting (info->connection, g_steal_pointer (&setting));
 }
 
+static void
+_read_setting_wireguard_peer (KeyfileReaderInfo *info)
+{
+	gs_unref_object NMSettingWireGuard *s_wg_new = NULL;
+	nm_auto_unref_wgpeer NMWireGuardPeer *peer = NULL;
+	gs_free_error GError *error = NULL;
+	NMSettingWireGuard *s_wg;
+	gs_free char *str = NULL;
+	const char *cstr = NULL;
+	const char *key;
+	gint64 i64;
+	gs_strfreev char **sa = NULL;
+	gsize n_sa;
+
+	peer = nm_wireguard_peer_new ();
+
+	nm_assert (g_str_has_prefix (info->group, NM_KEYFILE_GROUPPREFIX_WIREGUARD_PEER));
+	cstr = &info->group[NM_STRLEN (NM_KEYFILE_GROUPPREFIX_WIREGUARD_PEER)];
+	if (   !_nm_utils_wireguard_normalize_key (cstr, NM_WIREGUARD_PUBLIC_KEY_LEN, &str)
+	    || !nm_streq0 (str, cstr)) {
+		/* the group name must be identical to the normalized(!) key, so that it
+		 * is uniquely identified. */
+		handle_warn (info, NULL, NM_KEYFILE_WARN_SEVERITY_WARN,
+		             _("invalid peer public key in section '%s'"),
+		             info->group);
+		return;
+	}
+	nm_wireguard_peer_set_public_key (peer, cstr);
+	nm_clear_g_free (&str);
+
+	key = NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY;
+	str = nm_keyfile_plugin_kf_get_string (info->keyfile, info->group, key, NULL);
+	if (str) {
+		if (!_nm_utils_wireguard_decode_key (str, NM_WIREGUARD_SYMMETRIC_KEY_LEN, NULL)) {
+			if (!handle_warn (info, key, NM_KEYFILE_WARN_SEVERITY_WARN,
+			                  _("key '%s.%s' is not not a valid 256 bit key in base64 encoding"),
+			                  info->group, key))
+				return;
+		} else
+			nm_wireguard_peer_set_preshared_key (peer, str);
+		nm_clear_g_free (&str);
+	}
+
+	key = NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY_FLAGS;
+	i64 = nm_keyfile_plugin_kf_get_int64 (info->keyfile, info->group, key, 0, 0, NM_SETTING_SECRET_FLAG_ALL, -1, NULL);
+	if (errno != ENODATA) {
+		if (   i64 == -1
+		    || !_nm_setting_secret_flags_valid (i64)) {
+			if (!handle_warn (info, key, NM_KEYFILE_WARN_SEVERITY_WARN,
+			                  _("key '%s.%s' is not not a valid secret flag"),
+			                  info->group, key))
+				return;
+		} else
+			nm_wireguard_peer_set_preshared_key_flags (peer, i64);
+	}
+
+	key = NM_WIREGUARD_PEER_ATTR_PERSISTENT_KEEPALIVE;
+	i64 = nm_keyfile_plugin_kf_get_int64 (info->keyfile, info->group, key, 0, 0, G_MAXUINT32, -1, NULL);
+	if (errno != ENODATA) {
+		if (i64 == -1) {
+			if (!handle_warn (info, key, NM_KEYFILE_WARN_SEVERITY_WARN,
+			                  _("key '%s.%s' is not not a integer in range 0 to 2^32"),
+			                  info->group, key))
+				return;
+		} else
+			nm_wireguard_peer_set_persistent_keepalive (peer, i64);
+	}
+
+	key = NM_WIREGUARD_PEER_ATTR_ENDPOINT;
+	str = nm_keyfile_plugin_kf_get_string (info->keyfile, info->group, key, NULL);
+	if (str && str[0]) {
+		nm_auto_unref_sockaddrendpoint NMSockAddrEndpoint *ep = NULL;
+
+		ep = nm_sock_addr_endpoint_new (str);
+		if (!nm_sock_addr_endpoint_get_host (ep)) {
+			if (!handle_warn (info, key, NM_KEYFILE_WARN_SEVERITY_WARN,
+			                  _("key '%s.%s' is not not a valid endpoint"),
+			                  info->group, key))
+				return;
+		} else
+			_nm_wireguard_peer_set_endpoint (peer, ep);
+	}
+	nm_clear_g_free (&str);
+
+	key = NM_WIREGUARD_PEER_ATTR_ALLOWED_IPS;
+	sa = nm_keyfile_plugin_kf_get_string_list (info->keyfile, info->group, key, &n_sa, NULL);
+	if (n_sa > 0) {
+		gboolean has_error = FALSE;
+		gsize i;
+
+		for (i = 0; i < n_sa; i++) {
+			if (!nm_utils_parse_inaddr_prefix_bin (AF_UNSPEC, sa[i], NULL, NULL, NULL)) {
+				has_error = TRUE;
+				continue;
+			}
+			nm_wireguard_peer_append_allowed_ip (peer, sa[i], TRUE);
+		}
+		if (has_error) {
+			if (!handle_warn (info, key, NM_KEYFILE_WARN_SEVERITY_WARN,
+			                  _("key '%s.%s' has invalid allowed-ips"),
+			                  info->group, key))
+				return;
+		}
+	}
+	nm_clear_pointer (&sa, g_strfreev);
+
+	if (info->error)
+		return;
+
+	if (!nm_wireguard_peer_is_valid (peer, TRUE, TRUE, &error)) {
+		if (!handle_warn (info, key, NM_KEYFILE_WARN_SEVERITY_WARN,
+		                  _("peer '%s' is invalid: %s"),
+		                  info->group, error->message))
+			return;
+		return;
+	}
+
+	s_wg = NM_SETTING_WIREGUARD (nm_connection_get_setting (info->connection, NM_TYPE_SETTING_WIREGUARD));
+	if (!s_wg) {
+		s_wg_new = NM_SETTING_WIREGUARD (nm_setting_wireguard_new ());
+		s_wg = s_wg_new;
+	}
+
+	nm_setting_wireguard_append_peer (s_wg, peer);
+
+	if (s_wg_new) {
+		nm_connection_add_setting (info->connection,
+		                           NM_SETTING (g_steal_pointer (&s_wg_new)));
+	}
+}
+
 static void
 _read_setting_vpn_secrets (KeyfileReaderInfo *info)
 {
@@ -3021,7 +3153,9 @@ nm_keyfile_read (GKeyFile *keyfile,
 		if (nm_streq (groups[i], NM_KEYFILE_GROUP_VPN_SECRETS)) {
 			/* Only read out secrets when needed */
 			vpn_secrets = TRUE;
-		} else
+		} else if (NM_STR_HAS_PREFIX (groups[i], NM_KEYFILE_GROUPPREFIX_WIREGUARD_PEER))
+			_read_setting_wireguard_peer (&info);
+		else
 			_read_setting (&info);
 
 		info.group = NULL;
@@ -3198,6 +3332,92 @@ out_unset_value:
 	g_value_unset (&value);
 }
 
+static void
+_write_setting_wireguard (NMSetting *setting, KeyfileWriterInfo *info)
+{
+	NMSettingWireGuard *s_wg;
+	guint i_peer, n_peers;
+
+	s_wg = NM_SETTING_WIREGUARD (setting);
+
+	n_peers = nm_setting_wireguard_get_peers_len (s_wg);
+	for (i_peer = 0; i_peer < n_peers; i_peer++) {
+		NMWireGuardPeer *peer = nm_setting_wireguard_get_peer (s_wg, i_peer);
+		const char *public_key;
+		char group[NM_STRLEN (NM_KEYFILE_GROUPPREFIX_WIREGUARD_PEER) + 200];
+		NMSettingSecretFlags secret_flags;
+		gboolean any_key = FALSE;
+		guint i_aip, n_aip;
+		const char *cstr;
+		guint32 u32;
+
+		public_key = nm_wireguard_peer_get_public_key (peer);
+		if (   !public_key
+		    || !public_key[0]
+		    || !NM_STRCHAR_ALL (public_key, ch, nm_sd_utils_unbase64char (ch, TRUE) >= 0)) {
+			/* invalid peer. Skip it */
+			continue;
+		}
+
+		if (g_snprintf (group,
+		                sizeof (group),
+		                "%s%s",
+		                NM_KEYFILE_GROUPPREFIX_WIREGUARD_PEER,
+		                nm_wireguard_peer_get_public_key (peer)) >= sizeof (group)) {
+			/* Too long. Not a valid public key. Skip the peer. */
+			continue;
+		}
+
+		cstr = nm_wireguard_peer_get_endpoint (peer);
+		if (cstr) {
+			g_key_file_set_string (info->keyfile, group, NM_WIREGUARD_PEER_ATTR_ENDPOINT, cstr);
+			any_key = TRUE;
+		}
+
+		secret_flags = nm_wireguard_peer_get_preshared_key_flags (peer);
+		if (_secret_flags_persist_secret (secret_flags)) {
+			cstr = nm_wireguard_peer_get_preshared_key (peer);
+			if (cstr) {
+				g_key_file_set_string (info->keyfile, group, NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY, cstr);
+				any_key = TRUE;
+			}
+		}
+
+		/* usually, we don't persist the secret-flags 0 (because they are the default).
+		 * For WireGuard peers, the default secret-flags for preshared-key are 4 (not-required).
+		 * So, in this case behave differently: a missing preshared-key-flag setting means
+		 * "not-required". */
+		if (secret_flags != NM_SETTING_SECRET_FLAG_NOT_REQUIRED) {
+			g_key_file_set_int64 (info->keyfile, group, NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY_FLAGS, secret_flags);
+			any_key = TRUE;
+		}
+
+		u32 = nm_wireguard_peer_get_persistent_keepalive (peer);
+		if (u32) {
+			g_key_file_set_uint64 (info->keyfile, group, NM_WIREGUARD_PEER_ATTR_PERSISTENT_KEEPALIVE, u32);
+			any_key = TRUE;
+		}
+
+		n_aip = nm_wireguard_peer_get_allowed_ips_len (peer);
+		if (n_aip > 0) {
+			gs_free const char **strv = NULL;
+
+			strv = g_new (const char *, ((gsize) n_aip) + 1);
+			for (i_aip = 0; i_aip < n_aip; i_aip++)
+				strv[i_aip] = nm_wireguard_peer_get_allowed_ip (peer, i_aip, NULL);
+			strv[n_aip] = NULL;
+			g_key_file_set_string_list (info->keyfile, group, NM_WIREGUARD_PEER_ATTR_ALLOWED_IPS,
+			                            strv, n_aip);
+			any_key = TRUE;
+		}
+
+		if (!any_key) {
+			/* we cannot omit all keys. At an empty endpoint. */
+			g_key_file_set_string (info->keyfile, group, NM_WIREGUARD_PEER_ATTR_ENDPOINT, "");
+		}
+	}
+}
+
 GKeyFile *
 nm_keyfile_write (NMConnection *connection,
                   NMKeyfileWriteHandler handler,
@@ -3275,6 +3495,12 @@ nm_keyfile_write (NMConnection *connection,
 				goto out_with_info_error;
 		}
 
+		if (NM_IS_SETTING_WIREGUARD (setting)) {
+			_write_setting_wireguard (setting, &info);
+			if (info.error)
+				goto out_with_info_error;
+		}
+
 		nm_assert (!info.error);
 	}
 

libnm-core/nm-setting-wireguard.h

@@ -25,6 +25,7 @@
 #endif
 
 #include "nm-setting.h"
+#include "nm-utils.h"
 
 G_BEGIN_DECLS
 
@@ -35,6 +36,87 @@ G_BEGIN_DECLS
 
 /*****************************************************************************/
 
+typedef struct _NMWireGuardPeer NMWireGuardPeer;
+
+NM_AVAILABLE_IN_1_16
+GType nm_wireguard_peer_get_type (void);
+
+NM_AVAILABLE_IN_1_16
+NMWireGuardPeer *nm_wireguard_peer_new (void);
+
+NM_AVAILABLE_IN_1_16
+NMWireGuardPeer *nm_wireguard_peer_new_clone (const NMWireGuardPeer *self,
+                                              gboolean with_secrets);
+
+NM_AVAILABLE_IN_1_16
+NMWireGuardPeer *nm_wireguard_peer_ref (NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+void nm_wireguard_peer_unref (NMWireGuardPeer *self);
+
+NM_AVAILABLE_IN_1_16
+void nm_wireguard_peer_seal (NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+gboolean nm_wireguard_peer_is_sealed (const NMWireGuardPeer *self);
+
+NM_AVAILABLE_IN_1_16
+const char *nm_wireguard_peer_get_public_key (const NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+void nm_wireguard_peer_set_public_key (NMWireGuardPeer *self,
+                                       const char *public_key);
+
+NM_AVAILABLE_IN_1_16
+const char *nm_wireguard_peer_get_preshared_key (const NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+void nm_wireguard_peer_set_preshared_key (NMWireGuardPeer *self,
+                                          const char *preshared_key);
+
+NM_AVAILABLE_IN_1_16
+NMSettingSecretFlags nm_wireguard_peer_get_preshared_key_flags (const NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+void nm_wireguard_peer_set_preshared_key_flags (NMWireGuardPeer *self,
+                                                NMSettingSecretFlags preshared_key_flags);
+
+NM_AVAILABLE_IN_1_16
+guint16 nm_wireguard_peer_get_persistent_keepalive (const NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+void nm_wireguard_peer_set_persistent_keepalive (NMWireGuardPeer *self,
+                                                 guint16 persistent_keepalive);
+
+NM_AVAILABLE_IN_1_16
+const char *nm_wireguard_peer_get_endpoint (const NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+void nm_wireguard_peer_set_endpoint (NMWireGuardPeer *self,
+                                     const char *endpoint);
+
+NM_AVAILABLE_IN_1_16
+guint nm_wireguard_peer_get_allowed_ips_len (const NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+const char *nm_wireguard_peer_get_allowed_ip (const NMWireGuardPeer *self,
+                                              guint idx,
+                                              gboolean *out_is_valid);
+NM_AVAILABLE_IN_1_16
+void nm_wireguard_peer_clear_allowed_ips (NMWireGuardPeer *self);
+NM_AVAILABLE_IN_1_16
+gboolean nm_wireguard_peer_append_allowed_ip (NMWireGuardPeer *self,
+                                              const char *allowed_ip,
+                                              gboolean accept_invalid);
+NM_AVAILABLE_IN_1_16
+gboolean nm_wireguard_peer_remove_allowed_ip (NMWireGuardPeer *self,
+                                              guint idx);
+
+NM_AVAILABLE_IN_1_16
+gboolean nm_wireguard_peer_is_valid (const NMWireGuardPeer *self,
+                                     gboolean check_non_secrets,
+                                     gboolean check_secrets,
+                                     GError **error);
+
+NM_AVAILABLE_IN_1_16
+int nm_wireguard_peer_cmp (const NMWireGuardPeer *a,
+                           const NMWireGuardPeer *b,
+                           NMSettingCompareFlags compare_flags);
+
+/*****************************************************************************/
+
 #define NM_TYPE_SETTING_WIREGUARD            (nm_setting_wireguard_get_type ())
 #define NM_SETTING_WIREGUARD(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SETTING_WIREGUARD, NMSettingWireGuard))
 #define NM_SETTING_WIREGUARD_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_SETTING_WIREGUARD, NMSettingWireGuardClass))
@@ -49,6 +131,15 @@ G_BEGIN_DECLS
 #define NM_SETTING_WIREGUARD_LISTEN_PORT       "listen-port"
 #define NM_SETTING_WIREGUARD_FWMARK            "fwmark"
 
+#define NM_SETTING_WIREGUARD_PEERS             "peers"
+
+#define NM_WIREGUARD_PEER_ATTR_PUBLIC_KEY           "public-key"
+#define NM_WIREGUARD_PEER_ATTR_ENDPOINT             "endpoint"
+#define NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY        "preshared-key"
+#define NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY_FLAGS  "preshared-key-flags"
+#define NM_WIREGUARD_PEER_ATTR_ALLOWED_IPS          "allowed-ips"
+#define NM_WIREGUARD_PEER_ATTR_PERSISTENT_KEEPALIVE "persistent-keepalive"
+
 /*****************************************************************************/
 
 typedef struct _NMSettingWireGuardClass NMSettingWireGuardClass;
@@ -75,6 +166,36 @@ guint32 nm_setting_wireguard_get_fwmark (NMSettingWireGuard *self);
 
 /*****************************************************************************/
 
+NM_AVAILABLE_IN_1_16
+guint nm_setting_wireguard_get_peers_len (NMSettingWireGuard *self);
+
+NM_AVAILABLE_IN_1_16
+NMWireGuardPeer *nm_setting_wireguard_get_peer (NMSettingWireGuard *self,
+                                                guint idx);
+
+NM_AVAILABLE_IN_1_16
+NMWireGuardPeer *nm_setting_wireguard_get_peer_by_public_key (NMSettingWireGuard *self,
+                                                              const char *public_key,
+                                                              guint *out_idx);
+
+NM_AVAILABLE_IN_1_16
+void nm_setting_wireguard_set_peer (NMSettingWireGuard *self,
+                                    NMWireGuardPeer *peer,
+                                    guint idx);
+
+NM_AVAILABLE_IN_1_16
+void nm_setting_wireguard_append_peer (NMSettingWireGuard *self,
+                                       NMWireGuardPeer *peer);
+
+NM_AVAILABLE_IN_1_16
+gboolean nm_setting_wireguard_remove_peer (NMSettingWireGuard *self,
+                                           guint idx);
+
+NM_AVAILABLE_IN_1_16
+guint nm_setting_wireguard_clear_peers (NMSettingWireGuard *self);
+
+/*****************************************************************************/
+
 G_END_DECLS
 
 #endif /* __NM_SETTING_WIREGUARD_H__ */

libnm-core/nm-setting.c

@@ -2067,7 +2067,7 @@ _nm_setting_update_secrets (NMSetting *setting, GVariant *secrets, GError **erro
 		int success;
 
 		success = NM_SETTING_GET_CLASS (setting)->update_one_secret (setting, secret_key, secret_value, &tmp_error);
-		g_assert (!((success == NM_SETTING_UPDATE_SECRET_ERROR) ^ (!!tmp_error)));
+		nm_assert (!((success == NM_SETTING_UPDATE_SECRET_ERROR) ^ (!!tmp_error)));
 
 		g_variant_unref (secret_value);
 

libnm/libnm.ver

@@ -1462,12 +1462,19 @@ global:
 	nm_setting_wifi_p2p_get_wfd_ies;
 	nm_setting_wifi_p2p_get_wps_method;
 	nm_setting_wifi_p2p_new;
+	nm_setting_wireguard_append_peer;
+	nm_setting_wireguard_clear_peers;
 	nm_setting_wireguard_get_fwmark;
 	nm_setting_wireguard_get_listen_port;
+	nm_setting_wireguard_get_peer;
+	nm_setting_wireguard_get_peer_by_public_key;
+	nm_setting_wireguard_get_peers_len;
 	nm_setting_wireguard_get_private_key;
 	nm_setting_wireguard_get_private_key_flags;
 	nm_setting_wireguard_get_type;
 	nm_setting_wireguard_new;
+	nm_setting_wireguard_remove_peer;
+	nm_setting_wireguard_set_peer;
 	nm_team_link_watcher_get_vlanid;
 	nm_team_link_watcher_new_arp_ping2;
 	nm_wifi_p2p_peer_connection_valid;
@@ -1483,4 +1490,28 @@ global:
 	nm_wifi_p2p_peer_get_strength;
 	nm_wifi_p2p_peer_get_type;
 	nm_wifi_p2p_peer_get_wfd_ies;
+	nm_wireguard_peer_append_allowed_ip;
+	nm_wireguard_peer_clear_allowed_ips;
+	nm_wireguard_peer_cmp;
+	nm_wireguard_peer_get_allowed_ip;
+	nm_wireguard_peer_get_allowed_ips_len;
+	nm_wireguard_peer_get_endpoint;
+	nm_wireguard_peer_get_persistent_keepalive;
+	nm_wireguard_peer_get_preshared_key;
+	nm_wireguard_peer_get_preshared_key_flags;
+	nm_wireguard_peer_get_public_key;
+	nm_wireguard_peer_get_type;
+	nm_wireguard_peer_is_sealed;
+	nm_wireguard_peer_is_valid;
+	nm_wireguard_peer_new;
+	nm_wireguard_peer_new_clone;
+	nm_wireguard_peer_ref;
+	nm_wireguard_peer_remove_allowed_ip;
+	nm_wireguard_peer_seal;
+	nm_wireguard_peer_set_endpoint;
+	nm_wireguard_peer_set_persistent_keepalive;
+	nm_wireguard_peer_set_preshared_key;
+	nm_wireguard_peer_set_preshared_key_flags;
+	nm_wireguard_peer_set_public_key;
+	nm_wireguard_peer_unref;
 } libnm_1_14_0;