[PATCH] gnu: wireguard: Add support for PresharedKey

OpenSubmitted by Paul Alesius.
Details
2 participants
  • Maxime Devos
  • Paul Alesius
Owner
unassigned
Severity
normal
P
P
Paul Alesius wrote on 21 Apr 15:26 +0200
(address . guix-patches@gnu.org)
CAL8jUGVj31UESVDj61D3kaYCWyPrapEzOYEAmPHwAqgN0tr6nw@mail.gmail.com
The WireGuard configuration supports a PresharedKey attribute for
additional security. This patch adds support for configuring a PresharedKey
attribute.

Tested, working.

With regards,
- Paul
Attachment: file
Attachment: guix.wg-psk.patch
M
M
Maxime Devos wrote on 21 Apr 16:25 +0200
274c06a235949ebbdd3f90e31afea1189f207ea0.camel@telenet.be
Paul Alesius schreef op do 21-04-2022 om 15:26 [+0200]:
Toggle quote (3 lines)
> + (preshared-key wireguard-peer-preshared-key
> + (default #f)) ;string

This should be documented in the documentation, otherwise it will be
difficult to discover. Also, #f is not a string, did you mean
‘;#f|string’?

Also, a limitation: the preshared key will end up in the store, and
hence be world-readable. So other users on the same system (other
people or compromised system daemons) could now determine the preshared
key.

Questions:

* Could the security limitation be documented?

* What security impact does a leaked secret key have?

* Does wireguard has some inclusion mechanism, such that the
wireguard configuration can ‘include’ some file outside the store?

* WDYT of verifying that the preshared key looks ‘reasonable’
(I guess only a-z0-9 characters, no spaces or newlines, not a
bytevector ...)

As-is, if I do (preshared-keys (string->utf8 "oops I thought this
needs to be bytevector)) then "guix system reconfigure" doesn't
give a nice error message, it will just silently produce a broken
configuration file.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmFpcRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7llhAQCW9CDpTLT1y63SNBlRydeAfzEL
/GZOhTtTzMFV07PwLQD9HdiRb3peV/Zq/d1yh8eY2eYgG6l4PdjiNVV2k+EdVAs=
=zCfL
-----END PGP SIGNATURE-----


P
P
Paul Alesius wrote on 21 Apr 22:41 +0200
Fwd: [bug#55055] [PATCH] gnu: wireguard: Add support for PresharedKey
(address . 55055@debbugs.gnu.org)
CAL8jUGV9v_G=CoSJbXeXMn2DCL-=-Z-J8THJQ5G4RpTnAyXZyA@mail.gmail.com
Toggle quote (2 lines)
> Also, #f is not a string, did you mean ‘;#f|string’?

The idea behind #f is that the field is optional, so that if it isn't
specified in the configuration then it isn't written to the configuration
file at all, hence #f is for a conditional when writing the actual
configuration file and has no default value.

Toggle quote (2 lines)
> * Could the security limitation be documented?
> * Does wireguard has some inclusion mechanism, such that the wireguard
configuration can ‘include’ some file outside the store?

I'll fix it properly to allow for loading of a key file, WireGuard does not
have an inclusion mechanism. How does it work with regards to documentation
and i18n versions, do you use online translation for the other languages? I
can really only fill in the english version.

Toggle quote (2 lines)
> * What security impact does a leaked secret key have?

Minimal to none, one should worry about the cloud peers over the wire guard
pre-shared key. It's just an additional layer of security in case the
public key algorithms are broken (for instance with quantum decryption),
then the pre-shared key functions as a one-time pad. If none is specified,
wireguard will use a default one of an all-zero string.

Since countries log all traffic, you never know what they have, hence my
patch submission.

Toggle quote (1 lines)
> * WDYT of verifying that the preshared key looks ‘reasonable’ (I guess
only a-z0-9 characters, no spaces or newlines, not a bytevector ...)

I could develop a subsystem for validating the fields of the wireguard but
isn't it better to provide validations from the guix framework more
broadly? With my level of Guile scripting right now, I doubt that it would
be accepted.

With regards,
- Paul

On Thu, 21 Apr 2022 at 16:26, Maxime Devos <maximedevos@telenet.be> wrote:

Toggle quote (34 lines)
> Paul Alesius schreef op do 21-04-2022 om 15:26 [+0200]:
> > + (preshared-key wireguard-peer-preshared-key
> > + (default #f)) ;string
>
> This should be documented in the documentation, otherwise it will be
> difficult to discover. Also, #f is not a string, did you mean
> ‘;#f|string’?
>
> Also, a limitation: the preshared key will end up in the store, and
> hence be world-readable. So other users on the same system (other
> people or compromised system daemons) could now determine the preshared
> key.
>
> Questions:
>
> * Could the security limitation be documented?
>
> * What security impact does a leaked secret key have?
>
> * Does wireguard has some inclusion mechanism, such that the
> wireguard configuration can ‘include’ some file outside the store?
>
> * WDYT of verifying that the preshared key looks ‘reasonable’
> (I guess only a-z0-9 characters, no spaces or newlines, not a
> bytevector ...)
>
> As-is, if I do (preshared-keys (string->utf8 "oops I thought this
> needs to be bytevector)) then "guix system reconfigure" doesn't
> give a nice error message, it will just silently produce a broken
> configuration file.
>
> Greetings,
> Maxime.
>
Attachment: file
M
M
Maxime Devos wrote on 21 Apr 23:48 +0200
Re: [bug#55055] [PATCH] gnu: wireguard: Add support for PresharedKey
(name . Paul Alesius)(address . paul@unnservice.com)(address . 55055@debbugs.gnu.org)
e16084793df7d4d4360d26f88b5d369ca2b7b241.camel@telenet.be
Paul Alesius schreef op do 21-04-2022 om 22:30 [+0200]:
Toggle quote (8 lines)
> > * Does wireguard has some inclusion mechanism, such that the
> > wireguard configuration can ‘include’ some file outside the store?
>
> I'll fix it properly to allow for loading of a key file, WireGuard
> does not have an inclusion mechanism. How does it work with regards
> to documentation and i18n versions, do you use online translation for
> the other languages? I can really only fill in the english version.

The main document is the English guix.texi, contributing.texi, ...

There is an automated system for making the translated guix.texi from
the main guix.texi and the translations at translate.fedoraproject.org.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmHRNRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7m6OAQC3fkXlZtHXbpdB/bazNr/ty9kx
qf9dTplTt/rktks6aAD+IapXQwGO5rVl6wOkJRJlLX+Olgmn4Mn2qb/Rk+3yDAM=
=2CI0
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 21 Apr 23:55 +0200
Re: [bug#55055] Fwd: [bug#55055] [PATCH] gnu: wireguard: Add support for PresharedKey
1e133ca9f5e9570cca8f07ff104673d1fce463e4.camel@telenet.be
Paul Alesius schreef op do 21-04-2022 om 22:41 [+0200]:
Toggle quote (9 lines)
> > * WDYT of verifying that the preshared key looks ‘reasonable’ (I
> > guess only a-z0-9 characters, no spaces or newlines, not a
> > bytevector ...)
>
> I could develop a subsystem for validating the fields of the
> wireguard but isn't it better to provide validations from the guix
> framework more broadly? With my level of Guile scripting right now, I
> doubt that it would be accepted.

There's already a basic system for this: field sanitisers. Have a look
at <network-address> and its 'assert-valid-address'. Long term, there
were some ideas for a contract system à la racket, there was some e-
mail thread about that.

Also, some very basic validation could be replacing

(format #f "PresharedKey = ~a\n" preshared-key)

by

(string-append "PresharedKey = " preshared-key "\n")

-- basically, let string-append do some basic type checking. This only
checks that it's a string though. 'make-regexp' and friends may be
useful for more complete validation.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmHSxRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7ns4AP9p9cHFYz6/2tAjy3ylsebQR29b
4mRWYbGRytI1WieUQwD/cQu6iM1O6LAvnv9psSc23s50q1pIa5eNLyL4Gm53uwM=
=ExUI
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 21 Apr 23:59 +0200
f159028531cea0278f80b8e417dfe87625feeaa4.camel@telenet.be
Paul Alesius schreef op do 21-04-2022 om 22:41 [+0200]:
Toggle quote (7 lines)
> > Also, #f is not a string, did you mean ‘;#f|string’?
>
> The idea behind #f is that the field is optional, so that if it isn't
> specified in the configuration then it isn't written to the
> configuration file at all, hence #f is for a conditional when writing
> the actual configuration file and has no default value.

It's optional in the generated wireguard configuration file, but not in
the Guix record -- Guile records don't have a concept of optional
fields, though there are fields with default values.

Though apparently conventions are a bit inconsistent in Guix on this
matter. wireguard-configuration just does ;string, but <agetty-
configuration> does

(define-record-type* <agetty-configuration>
[...]
(tty agetty-configuration-tty) ;string | #f
(term agetty-term ;string | #f
(default #f))
(baud-rate agetty-baud-rate ;string | #f
(default #f))
(auto-login agetty-auto-login ;list of strings | #f
(default #f))
[...]

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmHTzBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7ovcAQCKWz6k+g6IInGc7thPs7htzmmQ
fa11aLhA8BcBtIExqQD+Nhv5M1evawxRlpWpjbQWoEtqF1rL76jejOHQ7kgq5Ac=
=0e9t
-----END PGP SIGNATURE-----


?