From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com, Christian Ebner <c.ebner@proxmox.com>
Subject: Re: [PATCH proxmox v4 02/31] wireguard: utilize x25519 for public key generation
Date: Thu, 7 May 2026 14:40:51 +0200 [thread overview]
Message-ID: <efea7f6d-ceff-45d0-a21e-b671b33a52b2@proxmox.com> (raw)
In-Reply-To: <20260507124008.417223-3-s.hanreich@proxmox.com>
@Christoph could you please double-check this in particular?
On 5/7/26 2:38 PM, Stefan Hanreich wrote:
> Previously, proxmox-wireguard used ed25519 for generating the public
> keys, which is the wrong algorithm for deriving suitable public keys
> for WireGuard - since ed25519 is a digital signature algorithm. x25519
> is for conducting DH key exchanges, which is what is utilized in the
> WireGuard protocol.
>
> The generated public keys from the tests have been checked against the
> output from wg pubkey - to make sure that generated keys are exactly
> the same as the ones generated by the userspace wg(8) tool.
>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> proxmox-wireguard/Cargo.toml | 1 +
> proxmox-wireguard/src/lib.rs | 56 +++++++++++++-----------------------
> 2 files changed, 21 insertions(+), 36 deletions(-)
>
> diff --git a/proxmox-wireguard/Cargo.toml b/proxmox-wireguard/Cargo.toml
> index b1abae3d..ae3236a8 100644
> --- a/proxmox-wireguard/Cargo.toml
> +++ b/proxmox-wireguard/Cargo.toml
> @@ -11,6 +11,7 @@ rust-version.workspace = true
>
> [dependencies]
> ed25519-dalek = "2.1"
> +x25519-dalek = { version = "2.0.1", features = ["getrandom", "static_secrets"] }
> serde = { workspace = true, features = [ "derive" ] }
> thiserror.workspace = true
> proxmox-schema = { workspace = true, optional = true, features = ["api-types"] }
> diff --git a/proxmox-wireguard/src/lib.rs b/proxmox-wireguard/src/lib.rs
> index 08579775..bf6ea8ad 100644
> --- a/proxmox-wireguard/src/lib.rs
> +++ b/proxmox-wireguard/src/lib.rs
> @@ -12,9 +12,11 @@
>
> #![forbid(unsafe_code, missing_docs)]
>
> +use std::fmt;
> +
> use ed25519_dalek::SigningKey;
> use serde::{Deserialize, Serialize};
> -use std::fmt;
> +use x25519_dalek::StaticSecret;
>
> use proxmox_network_types::{endpoint::ServiceEndpoint, ip_address::Cidr};
> #[cfg(feature = "api-types")]
> @@ -42,9 +44,7 @@ impl From<proxmox_ini::Error> for Error {
> /// Public key of a WireGuard peer.
> #[derive(Clone, Copy, Deserialize, Serialize, Hash, Debug)]
> #[serde(transparent)]
> -pub struct PublicKey(
> - #[serde(with = "proxmox_serde::byte_array_as_base64")] [u8; ed25519_dalek::PUBLIC_KEY_LENGTH],
> -);
> +pub struct PublicKey(#[serde(with = "proxmox_serde::byte_array_as_base64")] [u8; 32]);
>
> #[cfg(feature = "api-types")]
> impl ApiType for PublicKey {
> @@ -62,9 +62,7 @@ impl UpdaterType for PublicKey {
> /// Private key of a WireGuard peer.
> #[derive(Serialize)]
> #[serde(transparent)]
> -pub struct PrivateKey(
> - #[serde(with = "proxmox_serde::byte_array_as_base64")] ed25519_dalek::SecretKey,
> -);
> +pub struct PrivateKey(#[serde(with = "proxmox_serde::byte_array_as_base64")] [u8; 32]);
>
> impl fmt::Debug for PrivateKey {
> fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
> @@ -73,42 +71,27 @@ impl fmt::Debug for PrivateKey {
> }
>
> impl PrivateKey {
> - /// Length of the raw private key data in bytes.
> - pub const RAW_LENGTH: usize = ed25519_dalek::SECRET_KEY_LENGTH;
> -
> /// Generates a new private key suitable for use with WireGuard.
> #[cfg(feature = "key-generation")]
> pub fn generate() -> Result<Self, Error> {
> - generate_key().map(Self)
> + Ok(Self(StaticSecret::random().to_bytes()))
> }
>
> /// Calculates the public key from the private key.
> pub fn public_key(&self) -> PublicKey {
> - PublicKey(
> - ed25519_dalek::SigningKey::from_bytes(&self.0)
> - .verifying_key()
> - .to_bytes(),
> - )
> - }
> -
> - /// Builds a new [`PrivateKey`] from raw key material.
> - #[must_use]
> - pub fn from_raw(data: ed25519_dalek::SecretKey) -> Self {
> - // [`SigningKey`] takes care of correct key clamping.
> - Self(SigningKey::from(&data).to_bytes())
> + PublicKey(x25519_dalek::PublicKey::from(&StaticSecret::from(self.0)).to_bytes())
> }
> }
>
> -impl From<ed25519_dalek::SecretKey> for PrivateKey {
> - fn from(value: ed25519_dalek::SecretKey) -> Self {
> +impl From<[u8; 32]> for PrivateKey {
> + fn from(value: [u8; 32]) -> Self {
> Self(value)
> }
> }
>
> -impl AsRef<ed25519_dalek::SecretKey> for PrivateKey {
> - /// Returns the raw private key material.
> - fn as_ref(&self) -> &ed25519_dalek::SecretKey {
> - &self.0
> +impl From<x25519_dalek::StaticSecret> for PrivateKey {
> + fn from(value: x25519_dalek::StaticSecret) -> Self {
> + Self(value.to_bytes())
> }
> }
>
> @@ -239,7 +222,8 @@ mod tests {
>
> fn mock_private_key(v: u8) -> PrivateKey {
> let base = v * 32;
> - PrivateKey((base..base + 32).collect::<Vec<u8>>().try_into().unwrap())
> + let key: [u8; 32] = (base..base + 32).collect::<Vec<u8>>().try_into().unwrap();
> + PrivateKey(key.into())
> }
>
> fn mock_preshared_key(v: u8) -> PresharedKey {
> @@ -272,7 +256,7 @@ ListenPort = 51820
> FwMark = 127
>
> [Peer]
> -PublicKey = Kay64UG8yvCyLhqU000LxzYeUm0L/hLIl5S8kyKWbdc=
> +PublicKey = NYBy1jZYgNGu6jKa35EhODhR7SGijjt16WXQ0s0WYlQ=
> PresharedKey = ICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=
> AllowedIPs = 192.168.0.0/24
> Endpoint = foo.example.com:51820
> @@ -328,24 +312,24 @@ PrivateKey = AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8=
> ListenPort = 51820
>
> [Peer]
> -PublicKey = Kay64UG8yvCyLhqU000LxzYeUm0L/hLIl5S8kyKWbdc=
> +PublicKey = NYBy1jZYgNGu6jKa35EhODhR7SGijjt16WXQ0s0WYlQ=
> PresharedKey = ICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=
> AllowedIPs = 192.168.0.0/24
> Endpoint = foo.example.com:51820
>
> [Peer]
> -PublicKey = JUO5L/EJVRFHatyDadtt3JM2ZaEZeN2hQE7hBmypVZ0=
> +PublicKey = eaYx7t4b+cmPEgMs3q3Q56B5OY/HhriMyEbsia+FpRo=
> PresharedKey = QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl8=
> AllowedIPs = 192.168.1.0/24
> PersistentKeepalive = 25
>
> [Peer]
> -PublicKey = F0VTtFbd38aQjsqxwQH+arIeK6oGF3lbfUOmNIKZP9U=
> +PublicKey = Z13VdO13iTELPS52gfN5C0ZsdzsVIf7PNld5WDcepS8=
> PresharedKey = YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8=
> AllowedIPs = 192.168.2.0/24
>
> [Peer]
> -PublicKey = zRSzf5VulTGU/3+3Oz2B3MVh1hp1OAlLfD4aZD7l86o=
> +PublicKey = ST6C/HRGSlkmiBdiPSBTxeuOLMSpiLT+4XnsawENUx0=
> PresharedKey = gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp8=
> Endpoint = 10.0.0.1:51820
> PersistentKeepalive = 25
> @@ -376,7 +360,7 @@ PersistentKeepalive = 25
> PrivateKey = AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8=
>
> [Peer]
> -PublicKey = Kay64UG8yvCyLhqU000LxzYeUm0L/hLIl5S8kyKWbdc=
> +PublicKey = NYBy1jZYgNGu6jKa35EhODhR7SGijjt16WXQ0s0WYlQ=
> PresharedKey = ICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=
> AllowedIPs = 192.168.0.0/24
> Endpoint = 10.0.0.1:51820
next prev parent reply other threads:[~2026-05-07 12:44 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 12:39 [PATCH cluster/manager/network/proxmox{,-ve-rs,-perl-rs} v4 00/31] Add WireGuard as protocol to SDN fabrics Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-cluster v4 01/31] cfs: add 'priv/wg-keys.cfg' to observed files Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 02/31] wireguard: utilize x25519 for public key generation Stefan Hanreich
2026-05-07 12:40 ` Stefan Hanreich [this message]
2026-05-07 12:39 ` [PATCH proxmox v4 03/31] wireguard: skip serializing preshared_key if unset Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 04/31] wireguard: implement ApiType for private key Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 05/31] network-types: implement ApiType for endpoints and hostnames Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 06/31] sdn-types: add wireguard-specific PersistentKeepalive api type Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 07/31] ve-config: fabrics: split interface name regex into two parts Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 08/31] ve-config: fabric: refactor fabric config entry impl using macro Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 09/31] ve-config: fabrics: add protocol-specific properties for wireguard Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 10/31] ve-config: wireguard: add private keys section config Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 11/31] ve-config: sdn: fabrics: add wireguard to the fabric config Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 12/31] ve-config: fabrics: wireguard add validation for wireguard config Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 13/31] ve-config: fabrics: implement wireguard config generation Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 14/31] pve-rs: fabrics: wireguard: generate ifupdown2 configuration Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 15/31] pve-rs: fabrics: add helpers for parsing interface property strings Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 16/31] pve-rs: sdn: wireguard: add private keys module Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 17/31] sdn: add wireguard helper module Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 18/31] fabrics: wireguard: add schema definitions for wireguard Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 19/31] fabrics: wireguard: implement wireguard key auto-generation Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 20/31] network: sdn: generate wireguard configuration on apply Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 21/31] ui: fix parsing of property-strings when values contain = Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 22/31] ui: fabrics: i18n: make node loading string translatable Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 23/31] ui: fabrics: split node selector creation and config Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 24/31] ui: fabrics: edit: make ipv4/6 support generic over fabric panels Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 25/31] ui: fabrics: node: make ipv4/6 support generic over edit panels Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 26/31] ui: fabrics: interface: " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 27/31] ui: fabrics: wireguard: add interface edit panel Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 28/31] ui: fabrics: wireguard: add node " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 29/31] ui: fabrics: wireguard: add fabric " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 30/31] ui: fabrics: hook up wireguard components Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 31/31] fabrics: node edit: add option to include wireguard interfaces Stefan Hanreich
2026-05-07 14:08 ` partially-applied: [PATCH cluster/manager/network/proxmox{,-ve-rs,-perl-rs} v4 00/31] Add WireGuard as protocol to SDN fabrics Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=efea7f6d-ceff-45d0-a21e-b671b33a52b2@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=c.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.