From edc61c63951b60322466533f7f7f7d6e923f4cbb Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Fri, 19 Sep 2025 12:53:33 +0200
Subject: [PATCH 1/4] exclude Peer::preshared_key from debug output

---
 src/host.rs | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/host.rs b/src/host.rs
index d4243d1..8c414c9 100644
--- a/src/host.rs
+++ b/src/host.rs
@@ -2,7 +2,7 @@
 
 use std::{
     collections::HashMap,
-    fmt::{Debug, Formatter},
+    fmt::{self, Debug, Formatter},
     io::{self, BufRead, BufReader, Read},
     net::SocketAddr,
     str::FromStr,
@@ -20,7 +20,7 @@ use serde::{Deserialize, Serialize};
 use crate::{error::WireguardInterfaceError, key::Key, net::IpAddrMask, utils::resolve};
 
 /// WireGuard peer representation.
-#[derive(Clone, Debug, Default, PartialEq)]
+#[derive(Clone, Default, PartialEq)]
 #[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
 pub struct Peer {
     pub public_key: Key,
@@ -34,6 +34,25 @@ pub struct Peer {
     pub allowed_ips: Vec<IpAddrMask>,
 }
 
+// implement manually to avoid exposing preshared keys
+impl fmt::Debug for Peer {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Peer")
+            .field("public_key", &self.public_key)
+            .field("protocol_version", &self.protocol_version)
+            .field("endpoint", &self.endpoint)
+            .field("last_handshake", &self.last_handshake)
+            .field("tx_bytes", &self.tx_bytes)
+            .field("rx_bytes", &self.rx_bytes)
+            .field(
+                "persistent_keepalive_interval",
+                &self.persistent_keepalive_interval,
+            )
+            .field("allowed_ips", &self.allowed_ips)
+            .finish_non_exhaustive()
+    }
+}
+
 impl Peer {
     /// Create new `Peer` with a given `public_key`.
     #[must_use]

From 28aad6e29e689f4993b943e190033c800ec6ce0f Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Fri, 19 Sep 2025 12:59:03 +0200
Subject: [PATCH 2/4] cargo update, bump version

---
 Cargo.lock | 42 +++++++++++++++++++++++++++++-------------
 Cargo.toml |  2 +-
 2 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 3f2bc08..435d3c1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
 name = "aho-corasick"
@@ -146,7 +146,7 @@ dependencies = [
 
 [[package]]
 name = "defguard_wireguard_rs"
-version = "0.7.6"
+version = "0.7.7"
 dependencies = [
  "base64",
  "env_logger",
@@ -264,11 +264,11 @@ dependencies = [
 
 [[package]]
 name = "netlink-packet-core"
-version = "0.8.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "745d789fe0958caf7252f5e1e900ce5c09b6a5bf05c7bba02a9cc600866ce31e"
+checksum = "3463cbb78394cb0141e2c926b93fc2197e473394b761986eca3b9da2c63ae0f4"
 dependencies = [
- "pastey",
+ "paste",
 ]
 
 [[package]]
@@ -345,6 +345,12 @@ version = "1.70.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad"
 
+[[package]]
+name = "paste"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+
 [[package]]
 name = "pastey"
 version = "0.1.1"
@@ -433,24 +439,34 @@ dependencies = [
 
 [[package]]
 name = "semver"
-version = "1.0.26"
+version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
 
 [[package]]
 name = "serde"
-version = "1.0.219"
+version = "1.0.225"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd6c24dee235d0da097043389623fb913daddf92c76e9f5a1db88607a0bcbd1d"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.225"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
+checksum = "659356f9a0cb1e529b24c01e43ad2bdf520ec4ceaf83047b83ddcc2251f96383"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.219"
+version = "1.0.225"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
+checksum = "0ea936adf78b1f766949a4977b91d2f5595825bd6ec079aa9543ad2685fc4516"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -505,9 +521,9 @@ dependencies = [
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.18"
+version = "1.0.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512"
+checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d"
 
 [[package]]
 name = "utf8parse"
diff --git a/Cargo.toml b/Cargo.toml
index b4c3844..44c8d24 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "defguard_wireguard_rs"
-version = "0.7.6"
+version = "0.7.7"
 edition = "2024"
 rust-version = "1.85"
 description = "A unified multi-platform high-level API for managing WireGuard interfaces"

From 097f533d6b1e37bb7598d3bc7e261e16f9bf028d Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Fri, 19 Sep 2025 13:13:29 +0200
Subject: [PATCH 3/4] add test

---
 src/host.rs | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/host.rs b/src/host.rs
index 8c414c9..7866e22 100644
--- a/src/host.rs
+++ b/src/host.rs
@@ -467,4 +467,24 @@ mod tests {
             peer.as_uapi_remove()
         );
     }
+
+    #[test]
+    fn dg25_28_test_dont_expose_preshared_keys() {
+        let preshared_key_str = "000102030405060708090a0b0c0d0e0ff0e1d2c3b4a5968778695a4b3c2d1e0f";
+        let peer = Peer {
+            public_key: Key::decode("286ac5ff9b2f900259008172225da774031e8a3689d8f341667be157b2336970").unwrap(),
+            preshared_key: Some(Key::decode(preshared_key_str).unwrap()),
+            protocol_version: None,
+            endpoint: None,
+            last_handshake: None,
+            tx_bytes: 0,
+            rx_bytes: 0,
+            persistent_keepalive_interval: None,
+            allowed_ips: Vec::new(),
+        };
+
+        let debug = format!("{peer:?}");
+        assert!(!debug.contains("preshared_key"));
+        assert!(!debug.contains(preshared_key_str));
+    }
 }

From 86982e5f0324cad831f5ec62ae7599ec6230eb4b Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Fri, 19 Sep 2025 13:19:25 +0200
Subject: [PATCH 4/4] cargo fmt

---
 src/host.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/host.rs b/src/host.rs
index 7866e22..6dcdcd1 100644
--- a/src/host.rs
+++ b/src/host.rs
@@ -472,7 +472,10 @@ mod tests {
     fn dg25_28_test_dont_expose_preshared_keys() {
         let preshared_key_str = "000102030405060708090a0b0c0d0e0ff0e1d2c3b4a5968778695a4b3c2d1e0f";
         let peer = Peer {
-            public_key: Key::decode("286ac5ff9b2f900259008172225da774031e8a3689d8f341667be157b2336970").unwrap(),
+            public_key: Key::decode(
+                "286ac5ff9b2f900259008172225da774031e8a3689d8f341667be157b2336970",
+            )
+            .unwrap(),
             preshared_key: Some(Key::decode(preshared_key_str).unwrap()),
             protocol_version: None,
             endpoint: None,