From 8960370411a08c839e3b36579567bc2d3ebb51aa Mon Sep 17 00:00:00 2001 From: Steffen Vogel Date: Fri, 16 Sep 2022 12:22:33 +0200 Subject: [PATCH] crypto: replace KDF PBKDF2 with Argon2id Signed-off-by: Steffen Vogel --- pkg/core/interface.go | 42 ---------------------------------------- pkg/crypto/types.go | 9 +++------ pkg/crypto/types_test.go | 4 ++-- pkg/feat/feat.go | 2 +- 4 files changed, 6 insertions(+), 51 deletions(-) diff --git a/pkg/core/interface.go b/pkg/core/interface.go index 46c075da7..f05c8572a 100644 --- a/pkg/core/interface.go +++ b/pkg/core/interface.go @@ -3,7 +3,6 @@ package core import ( "fmt" "io" - "net" "os" "time" @@ -14,12 +13,10 @@ import ( "github.com/stv0g/cunicu/pkg/crypto" "github.com/stv0g/cunicu/pkg/device" "github.com/stv0g/cunicu/pkg/util" - "github.com/stv0g/cunicu/pkg/util/buildinfo" "github.com/stv0g/cunicu/pkg/wg" proto "github.com/stv0g/cunicu/pkg/proto" coreproto "github.com/stv0g/cunicu/pkg/proto/core" - pdiscproto "github.com/stv0g/cunicu/pkg/proto/feat/pdisc" ) type Interface struct { @@ -355,42 +352,3 @@ func (i *Interface) MarshalWithPeers(cb func(p *Peer) *coreproto.Peer) *coreprot return q } - -func (i *Interface) MarshalDescription(chg pdiscproto.PeerDescriptionChange, pkOld *crypto.Key) (*pdiscproto.PeerDescription, error) { - allowedIPs := []*net.IPNet{ - i.PublicKey().IPv6Address(), - i.PublicKey().IPv4Address(), - } - - // Only allow a single IP from the network - for _, allowedIP := range allowedIPs { - for i := range allowedIP.Mask { - allowedIP.Mask[i] = 0xff - } - } - - hn, err := os.Hostname() - if err != nil { - return nil, fmt.Errorf("failed to get hostname: %w", err) - } - - pd := &pdiscproto.PeerDescription{ - Change: chg, - Hostname: hn, - AllowedIps: util.StringSlice(allowedIPs), - BuildInfo: buildinfo.BuildInfo(), - } - - if pkOld != nil { - if pd.Change != pdiscproto.PeerDescriptionChange_PEER_UPDATE { - return nil, fmt.Errorf("can not change public key in non-update message") - } - - pd.PublicKeyNew = i.PublicKey().Bytes() - pd.PublicKey = pkOld.Bytes() - } else { - pd.PublicKey = i.PublicKey().Bytes() - } - - return pd, nil -} diff --git a/pkg/crypto/types.go b/pkg/crypto/types.go index ccde5cabb..34853ce24 100644 --- a/pkg/crypto/types.go +++ b/pkg/crypto/types.go @@ -1,14 +1,13 @@ package crypto import ( - "crypto/sha512" "encoding/base64" "errors" "net" "github.com/dchest/siphash" + "golang.org/x/crypto/argon2" "golang.org/x/crypto/curve25519" - "golang.org/x/crypto/pbkdf2" "golang.zx2c4.com/wireguard/wgctrl/wgtypes" ) @@ -16,8 +15,6 @@ import ( const ( KeyLength = 32 - - pbkdf2Iterations = 4096 ) var ( @@ -25,14 +22,14 @@ var ( // interfaces public key addrHashKey = [...]byte{0x67, 0x67, 0x2c, 0x05, 0xd1, 0x3e, 0x11, 0x94, 0xbb, 0x38, 0x91, 0xff, 0x4f, 0x80, 0xb3, 0x97} - pbkdf2Salt = [...]byte{0x77, 0x31, 0x63, 0x33, 0x63, 0x30, 0x6e, 0x6e, 0x33, 0x63, 0x74, 0x73, 0x33, 0x76, 0x65, 0x72, 0x79, 0x62, 0x30, 0x64, 0x79} + argonSalt = [...]byte{0x77, 0x31, 0x63, 0x33, 0x63, 0x30, 0x6e, 0x6e, 0x33, 0x63, 0x74, 0x73, 0x33, 0x76, 0x65, 0x72, 0x79, 0x62, 0x30, 0x64, 0x79} ) type Nonce []byte type Key [KeyLength]byte func GenerateKeyFromPassword(pw string) Key { - key := pbkdf2.Key([]byte(pw), pbkdf2Salt[:], pbkdf2Iterations, KeyLength, sha512.New) + key := argon2.IDKey([]byte(pw), argonSalt[:], 1, 64*1024, 4, KeyLength) // Modify random bytes using algorithm described at: // https://cr.yp.to/ecdh.html. diff --git a/pkg/crypto/types_test.go b/pkg/crypto/types_test.go index 8ffa716dc..1e4b1db3f 100644 --- a/pkg/crypto/types_test.go +++ b/pkg/crypto/types_test.go @@ -10,7 +10,7 @@ import ( . "github.com/onsi/gomega" ) -var _ = Describe("PBKDF2 Key derivation", func() { +var _ = Describe("Argon2id key derivation", func() { var key1, key2 crypto.Key BeforeEach(func() { @@ -19,7 +19,7 @@ var _ = Describe("PBKDF2 Key derivation", func() { }) It("matches well known key", func() { - Expect(crypto.ParseKey("SAyMLIWTO+DSnTx/JDak+lRR5huci8m4JsEabkkIxFY=")).To(Equal(key1)) + Expect(crypto.ParseKey("KJJj36cAiOLIaAImbnZtzvk6KmIpx87LLC4sCnriuUw=")).To(Equal(key1)) }) It("does not create equal keys", func() { diff --git a/pkg/feat/feat.go b/pkg/feat/feat.go index 59dd1a2a2..279af36e0 100644 --- a/pkg/feat/feat.go +++ b/pkg/feat/feat.go @@ -50,7 +50,7 @@ func NewFeatures(w *watcher.Watcher, cfg *config.Config, c *wgctrl.Client, b sig } if cfg.DefaultInterfaceSettings.PeerDisc.Enabled && cfg.DefaultInterfaceSettings.PeerDisc.Community != "" { - feats = append(feats, pdisc.New(w, c, b, cfg.DefaultInterfaceSettings.PeerDisc.Community, cfg.DefaultInterfaceSettings.PeerDisc.Whitelist)) + feats = append(feats, pdisc.New(w, c, b, cfg)) } if len(cfg.Hooks) > 0 {