[PATCH] gnu: wireguard: Add support for PresharedKey

OpenSubmitted by Paul Alesius.
Details
2 participants
  • Maxime Devos
  • Paul Alesius
Owner
unassigned
Severity
normal
P
P
Paul Alesius wrote on 21 Apr 15:26 +0200
Download
(address . guix-patches@gnu.org)
CAL8jUGVj31UESVDj61D3kaYCWyPrapEzOYEAmPHwAqgN0tr6nw@mail.gmail.com
Download
The WireGuard configuration supports a PresharedKey attribute for
additional security. This patch adds support for configuring a PresharedKey
attribute.

Tested, working.

With regards,
- Paul
Attachment: file
Attachment: guix.wg-psk.patch
M
M
Maxime Devos wrote on 21 Apr 16:25 +0200
Download
274c06a235949ebbdd3f90e31afea1189f207ea0.camel@telenet.be
Download
Paul Alesius schreef op do 21-04-2022 om 15:26 [+0200]:
Toggle quote (3 lines)
> + (preshared-key wireguard-peer-preshared-key
> + (default #f)) ;string

This should be documented in the documentation, otherwise it will be
difficult to discover. Also, #f is not a string, did you mean
‘;#f|string’?

Also, a limitation: the preshared key will end up in the store, and
hence be world-readable. So other users on the same system (other
people or compromised system daemons) could now determine the preshared
key.

Questions:

* Could the security limitation be documented?

* What security impact does a leaked secret key have?

* Does wireguard has some inclusion mechanism, such that the
wireguard configuration can ‘include’ some file outside the store?

* WDYT of verifying that the preshared key looks ‘reasonable’
(I guess only a-z0-9 characters, no spaces or newlines, not a
bytevector ...)

As-is, if I do (preshared-keys (string->utf8 "oops I thought this
needs to be bytevector)) then "guix system reconfigure" doesn't
give a nice error message, it will just silently produce a broken
configuration file.

Greetings,
Maxime.
Download
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmFpcRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7llhAQCW9CDpTLT1y63SNBlRydeAfzEL
/GZOhTtTzMFV07PwLQD9HdiRb3peV/Zq/d1yh8eY2eYgG6l4PdjiNVV2k+EdVAs=
=zCfL
-----END PGP SIGNATURE-----


P
P
Paul Alesius wrote on 21 Apr 22:41 +0200
Download
Fwd: [bug#55055] [PATCH] gnu: wireguard: Add support for PresharedKey
(address . 55055@debbugs.gnu.org)
CAL8jUGV9v_G=CoSJbXeXMn2DCL-=-Z-J8THJQ5G4RpTnAyXZyA@mail.gmail.com
Download
Toggle quote (2 lines)
> Also, #f is not a string, did you mean ‘;#f|string’?

The idea behind #f is that the field is optional, so that if it isn't
specified in the configuration then it isn't written to the configuration
file at all, hence #f is for a conditional when writing the actual
configuration file and has no default value.

Toggle quote (2 lines)
> * Could the security limitation be documented?
> * Does wireguard has some inclusion mechanism, such that the wireguard
configuration can ‘include’ some file outside the store?

I'll fix it properly to allow for loading of a key file, WireGuard does not
have an inclusion mechanism. How does it work with regards to documentation
and i18n versions, do you use online translation for the other languages? I
can really only fill in the english version.

Toggle quote (2 lines)
> * What security impact does a leaked secret key have?

Minimal to none, one should worry about the cloud peers over the wire guard
pre-shared key. It's just an additional layer of security in case the
public key algorithms are broken (for instance with quantum decryption),
then the pre-shared key functions as a one-time pad. If none is specified,
wireguard will use a default one of an all-zero string.

Since countries log all traffic, you never know what they have, hence my
patch submission.

Toggle quote (1 lines)
> * WDYT of verifying that the preshared key looks ‘reasonable’ (I guess
only a-z0-9 characters, no spaces or newlines, not a bytevector ...)

I could develop a subsystem for validating the fields of the wireguard but
isn't it better to provide validations from the guix framework more
broadly? With my level of Guile scripting right now, I doubt that it would
be accepted.

With regards,
- Paul

On Thu, 21 Apr 2022 at 16:26, Maxime Devos <maximedevos@telenet.be> wrote:

Toggle quote (34 lines)
> Paul Alesius schreef op do 21-04-2022 om 15:26 [+0200]:
> > + (preshared-key wireguard-peer-preshared-key
> > + (default #f)) ;string
>
> This should be documented in the documentation, otherwise it will be
> difficult to discover. Also, #f is not a string, did you mean
> ‘;#f|string’?
>
> Also, a limitation: the preshared key will end up in the store, and
> hence be world-readable. So other users on the same system (other
> people or compromised system daemons) could now determine the preshared
> key.
>
> Questions:
>
> * Could the security limitation be documented?
>
> * What security impact does a leaked secret key have?
>
> * Does wireguard has some inclusion mechanism, such that the
> wireguard configuration can ‘include’ some file outside the store?
>
> * WDYT of verifying that the preshared key looks ‘reasonable’
> (I guess only a-z0-9 characters, no spaces or newlines, not a
> bytevector ...)
>
> As-is, if I do (preshared-keys (string->utf8 "oops I thought this
> needs to be bytevector)) then "guix system reconfigure" doesn't
> give a nice error message, it will just silently produce a broken
> configuration file.
>
> Greetings,
> Maxime.
>
Attachment: file
M
M
Maxime Devos wrote on 21 Apr 23:48 +0200
Download
Re: [bug#55055] [PATCH] gnu: wireguard: Add support for PresharedKey
(name . Paul Alesius)(address . paul@unnservice.com)(address . 55055@debbugs.gnu.org)
e16084793df7d4d4360d26f88b5d369ca2b7b241.camel@telenet.be
Download
Paul Alesius schreef op do 21-04-2022 om 22:30 [+0200]:
Toggle quote (8 lines)
> > * Does wireguard has some inclusion mechanism, such that the
> > wireguard configuration can ‘include’ some file outside the store?
>
> I'll fix it properly to allow for loading of a key file, WireGuard
> does not have an inclusion mechanism. How does it work with regards
> to documentation and i18n versions, do you use online translation for
> the other languages? I can really only fill in the english version.

The main document is the English guix.texi, contributing.texi, ...

Translation happens at https://translate.fedoraproject.org/projects/guix/documentation-manual.
There is an automated system for making the translated guix.texi from
the main guix.texi and the translations at translate.fedoraproject.org.

Greetings,
Maxime.
Download
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmHRNRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7m6OAQC3fkXlZtHXbpdB/bazNr/ty9kx
qf9dTplTt/rktks6aAD+IapXQwGO5rVl6wOkJRJlLX+Olgmn4Mn2qb/Rk+3yDAM=
=2CI0
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 21 Apr 23:55 +0200
Download
Re: [bug#55055] Fwd: [bug#55055] [PATCH] gnu: wireguard: Add support for PresharedKey
1e133ca9f5e9570cca8f07ff104673d1fce463e4.camel@telenet.be
Download
Paul Alesius schreef op do 21-04-2022 om 22:41 [+0200]:
Toggle quote (9 lines)
> > * WDYT of verifying that the preshared key looks ‘reasonable’ (I
> > guess only a-z0-9 characters, no spaces or newlines, not a
> > bytevector ...)
>
> I could develop a subsystem for validating the fields of the
> wireguard but isn't it better to provide validations from the guix
> framework more broadly? With my level of Guile scripting right now, I
> doubt that it would be accepted.

There's already a basic system for this: field sanitisers. Have a look
at <network-address> and its 'assert-valid-address'. Long term, there
were some ideas for a contract system à la racket, there was some e-
mail thread about that.

Also, some very basic validation could be replacing

(format #f "PresharedKey = ~a\n" preshared-key)

by

(string-append "PresharedKey = " preshared-key "\n")

-- basically, let string-append do some basic type checking. This only
checks that it's a string though. 'make-regexp' and friends may be
useful for more complete validation.

Greetings,
Maxime.
Download
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmHSxRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7ns4AP9p9cHFYz6/2tAjy3ylsebQR29b
4mRWYbGRytI1WieUQwD/cQu6iM1O6LAvnv9psSc23s50q1pIa5eNLyL4Gm53uwM=
=ExUI
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 21 Apr 23:59 +0200
Download
f159028531cea0278f80b8e417dfe87625feeaa4.camel@telenet.be
Download
Paul Alesius schreef op do 21-04-2022 om 22:41 [+0200]:
Toggle quote (7 lines)
> > Also, #f is not a string, did you mean ‘;#f|string’?
>
> The idea behind #f is that the field is optional, so that if it isn't
> specified in the configuration then it isn't written to the
> configuration file at all, hence #f is for a conditional when writing
> the actual configuration file and has no default value.

It's optional in the generated wireguard configuration file, but not in
the Guix record -- Guile records don't have a concept of optional
fields, though there are fields with default values.

Though apparently conventions are a bit inconsistent in Guix on this
matter. wireguard-configuration just does ;string, but <agetty-
configuration> does

(define-record-type* <agetty-configuration>
[...]
(tty agetty-configuration-tty) ;string | #f
(term agetty-term ;string | #f
(default #f))
(baud-rate agetty-baud-rate ;string | #f
(default #f))
(auto-login agetty-auto-login ;list of strings | #f
(default #f))
[...]

Greetings,
Maxime.
Download
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmHTzBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7ovcAQCKWz6k+g6IInGc7thPs7htzmmQ
fa11aLhA8BcBtIExqQD+Nhv5M1evawxRlpWpjbQWoEtqF1rL76jejOHQ7kgq5Ac=
=0e9t
-----END PGP SIGNATURE-----


?
You may also send email to 55055@debbugs.gnu.org to comment.