GNU bug report logs -
#55055
[PATCH] gnu: wireguard: Add support for PresharedKey
Previous Next
Reported by: Paul Alesius <paul <at> unnservice.com>
Date: Thu, 21 Apr 2022 13:28:02 UTC
Severity: normal
Tags: patch
Done: Mathieu Othacehe <othacehe <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Paul Alesius schreef op do 21-04-2022 om 15:26 [+0200]:
> + (preshared-key wireguard-peer-preshared-key
> + (default #f)) ;string
This should be documented in the documentation, otherwise it will be
difficult to discover. Also, #f is not a string, did you mean
‘;#f|string’?
Also, a limitation: the preshared key will end up in the store, and
hence be world-readable. So other users on the same system (other
people or compromised system daemons) could now determine the preshared
key.
Questions:
* Could the security limitation be documented?
* What security impact does a leaked secret key have?
* Does wireguard has some inclusion mechanism, such that the
wireguard configuration can ‘include’ some file outside the store?
* WDYT of verifying that the preshared key looks ‘reasonable’
(I guess only a-z0-9 characters, no spaces or newlines, not a
bytevector ...)
As-is, if I do (preshared-keys (string->utf8 "oops I thought this
needs to be bytevector)) then "guix system reconfigure" doesn't
give a nice error message, it will just silently produce a broken
configuration file.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 148 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.