From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com, Christian Ebner <c.ebner@proxmox.com>
Subject: Re: [PATCH proxmox v4 02/31] wireguard: utilize x25519 for public key generation
Date: Thu, 7 May 2026 14:40:51 +0200 [thread overview]
Message-ID: <efea7f6d-ceff-45d0-a21e-b671b33a52b2@proxmox.com> (raw)
In-Reply-To: <20260507124008.417223-3-s.hanreich@proxmox.com>
@Christoph could you please double-check this in particular?
On 5/7/26 2:38 PM, Stefan Hanreich wrote:
> Previously, proxmox-wireguard used ed25519 for generating the public
> keys, which is the wrong algorithm for deriving suitable public keys
> for WireGuard - since ed25519 is a digital signature algorithm. x25519
> is for conducting DH key exchanges, which is what is utilized in the
> WireGuard protocol.
>
> The generated public keys from the tests have been checked against the
> output from wg pubkey - to make sure that generated keys are exactly
> the same as the ones generated by the userspace wg(8) tool.
>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> proxmox-wireguard/Cargo.toml | 1 +
> proxmox-wireguard/src/lib.rs | 56 +++++++++++++-----------------------
> 2 files changed, 21 insertions(+), 36 deletions(-)
>
> diff --git a/proxmox-wireguard/Cargo.toml b/proxmox-wireguard/Cargo.toml
> index b1abae3d..ae3236a8 100644
> --- a/proxmox-wireguard/Cargo.toml
> +++ b/proxmox-wireguard/Cargo.toml
> @@ -11,6 +11,7 @@ rust-version.workspace = true
>
> [dependencies]
> ed25519-dalek = "2.1"
> +x25519-dalek = { version = "2.0.1", features = ["getrandom", "static_secrets"] }
> serde = { workspace = true, features = [ "derive" ] }
> thiserror.workspace = true
> proxmox-schema = { workspace = true, optional = true, features = ["api-types"] }
> diff --git a/proxmox-wireguard/src/lib.rs b/proxmox-wireguard/src/lib.rs
> index 08579775..bf6ea8ad 100644
> --- a/proxmox-wireguard/src/lib.rs
> +++ b/proxmox-wireguard/src/lib.rs
> @@ -12,9 +12,11 @@
>
> #![forbid(unsafe_code, missing_docs)]
>
> +use std::fmt;
> +
> use ed25519_dalek::SigningKey;
> use serde::{Deserialize, Serialize};
> -use std::fmt;
> +use x25519_dalek::StaticSecret;
>
> use proxmox_network_types::{endpoint::ServiceEndpoint, ip_address::Cidr};
> #[cfg(feature = "api-types")]
> @@ -42,9 +44,7 @@ impl From<proxmox_ini::Error> for Error {
> /// Public key of a WireGuard peer.
> #[derive(Clone, Copy, Deserialize, Serialize, Hash, Debug)]
> #[serde(transparent)]
> -pub struct PublicKey(
> - #[serde(with = "proxmox_serde::byte_array_as_base64")] [u8; ed25519_dalek::PUBLIC_KEY_LENGTH],
> -);
> +pub struct PublicKey(#[serde(with = "proxmox_serde::byte_array_as_base64")] [u8; 32]);
>
> #[cfg(feature = "api-types")]
> impl ApiType for PublicKey {
> @@ -62,9 +62,7 @@ impl UpdaterType for PublicKey {
> /// Private key of a WireGuard peer.
> #[derive(Serialize)]
> #[serde(transparent)]
> -pub struct PrivateKey(
> - #[serde(with = "proxmox_serde::byte_array_as_base64")] ed25519_dalek::SecretKey,
> -);
> +pub struct PrivateKey(#[serde(with = "proxmox_serde::byte_array_as_base64")] [u8; 32]);
>
> impl fmt::Debug for PrivateKey {
> fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
> @@ -73,42 +71,27 @@ impl fmt::Debug for PrivateKey {
> }
>
> impl PrivateKey {
> - /// Length of the raw private key data in bytes.
> - pub const RAW_LENGTH: usize = ed25519_dalek::SECRET_KEY_LENGTH;
> -
> /// Generates a new private key suitable for use with WireGuard.
> #[cfg(feature = "key-generation")]
> pub fn generate() -> Result<Self, Error> {
> - generate_key().map(Self)
> + Ok(Self(StaticSecret::random().to_bytes()))
> }
>
> /// Calculates the public key from the private key.
> pub fn public_key(&self) -> PublicKey {
> - PublicKey(
> - ed25519_dalek::SigningKey::from_bytes(&self.0)
> - .verifying_key()
> - .to_bytes(),
> - )
> - }
> -
> - /// Builds a new [`PrivateKey`] from raw key material.
> - #[must_use]
> - pub fn from_raw(data: ed25519_dalek::SecretKey) -> Self {
> - // [`SigningKey`] takes care of correct key clamping.
> - Self(SigningKey::from(&data).to_bytes())
> + PublicKey(x25519_dalek::PublicKey::from(&StaticSecret::from(self.0)).to_bytes())
> }
> }
>
> -impl From<ed25519_dalek::SecretKey> for PrivateKey {
> - fn from(value: ed25519_dalek::SecretKey) -> Self {
> +impl From<[u8; 32]> for PrivateKey {
> + fn from(value: [u8; 32]) -> Self {
> Self(value)
> }
> }
>
> -impl AsRef<ed25519_dalek::SecretKey> for PrivateKey {
> - /// Returns the raw private key material.
> - fn as_ref(&self) -> &ed25519_dalek::SecretKey {
> - &self.0
> +impl From<x25519_dalek::StaticSecret> for PrivateKey {
> + fn from(value: x25519_dalek::StaticSecret) -> Self {
> + Self(value.to_bytes())
> }
> }
>
> @@ -239,7 +222,8 @@ mod tests {
>
> fn mock_private_key(v: u8) -> PrivateKey {
> let base = v * 32;
> - PrivateKey((base..base + 32).collect::<Vec<u8>>().try_into().unwrap())
> + let key: [u8; 32] = (base..base + 32).collect::<Vec<u8>>().try_into().unwrap();
> + PrivateKey(key.into())
> }
>
> fn mock_preshared_key(v: u8) -> PresharedKey {
> @@ -272,7 +256,7 @@ ListenPort = 51820
> FwMark = 127
>
> [Peer]
> -PublicKey = Kay64UG8yvCyLhqU000LxzYeUm0L/hLIl5S8kyKWbdc=
> +PublicKey = NYBy1jZYgNGu6jKa35EhODhR7SGijjt16WXQ0s0WYlQ=
> PresharedKey = ICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=
> AllowedIPs = 192.168.0.0/24
> Endpoint = foo.example.com:51820
> @@ -328,24 +312,24 @@ PrivateKey = AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8=
> ListenPort = 51820
>
> [Peer]
> -PublicKey = Kay64UG8yvCyLhqU000LxzYeUm0L/hLIl5S8kyKWbdc=
> +PublicKey = NYBy1jZYgNGu6jKa35EhODhR7SGijjt16WXQ0s0WYlQ=
> PresharedKey = ICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=
> AllowedIPs = 192.168.0.0/24
> Endpoint = foo.example.com:51820
>
> [Peer]
> -PublicKey = JUO5L/EJVRFHatyDadtt3JM2ZaEZeN2hQE7hBmypVZ0=
> +PublicKey = eaYx7t4b+cmPEgMs3q3Q56B5OY/HhriMyEbsia+FpRo=
> PresharedKey = QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl8=
> AllowedIPs = 192.168.1.0/24
> PersistentKeepalive = 25
>
> [Peer]
> -PublicKey = F0VTtFbd38aQjsqxwQH+arIeK6oGF3lbfUOmNIKZP9U=
> +PublicKey = Z13VdO13iTELPS52gfN5C0ZsdzsVIf7PNld5WDcepS8=
> PresharedKey = YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8=
> AllowedIPs = 192.168.2.0/24
>
> [Peer]
> -PublicKey = zRSzf5VulTGU/3+3Oz2B3MVh1hp1OAlLfD4aZD7l86o=
> +PublicKey = ST6C/HRGSlkmiBdiPSBTxeuOLMSpiLT+4XnsawENUx0=
> PresharedKey = gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp8=
> Endpoint = 10.0.0.1:51820
> PersistentKeepalive = 25
> @@ -376,7 +360,7 @@ PersistentKeepalive = 25
> PrivateKey = AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8=
>
> [Peer]
> -PublicKey = Kay64UG8yvCyLhqU000LxzYeUm0L/hLIl5S8kyKWbdc=
> +PublicKey = NYBy1jZYgNGu6jKa35EhODhR7SGijjt16WXQ0s0WYlQ=
> PresharedKey = ICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=
> AllowedIPs = 192.168.0.0/24
> Endpoint = 10.0.0.1:51820
next prev parent reply other threads:[~2026-05-07 12:44 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 12:39 [PATCH cluster/manager/network/proxmox{,-ve-rs,-perl-rs} v4 00/31] Add WireGuard as protocol to SDN fabrics Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-cluster v4 01/31] cfs: add 'priv/wg-keys.cfg' to observed files Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 02/31] wireguard: utilize x25519 for public key generation Stefan Hanreich
2026-05-07 12:40 ` Stefan Hanreich [this message]
2026-05-07 12:39 ` [PATCH proxmox v4 03/31] wireguard: skip serializing preshared_key if unset Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 04/31] wireguard: implement ApiType for private key Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 05/31] network-types: implement ApiType for endpoints and hostnames Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 06/31] sdn-types: add wireguard-specific PersistentKeepalive api type Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 07/31] ve-config: fabrics: split interface name regex into two parts Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 08/31] ve-config: fabric: refactor fabric config entry impl using macro Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 09/31] ve-config: fabrics: add protocol-specific properties for wireguard Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 10/31] ve-config: wireguard: add private keys section config Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 11/31] ve-config: sdn: fabrics: add wireguard to the fabric config Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 12/31] ve-config: fabrics: wireguard add validation for wireguard config Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 13/31] ve-config: fabrics: implement wireguard config generation Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 14/31] pve-rs: fabrics: wireguard: generate ifupdown2 configuration Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 15/31] pve-rs: fabrics: add helpers for parsing interface property strings Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 16/31] pve-rs: sdn: wireguard: add private keys module Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 17/31] sdn: add wireguard helper module Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 18/31] fabrics: wireguard: add schema definitions for wireguard Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 19/31] fabrics: wireguard: implement wireguard key auto-generation Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 20/31] network: sdn: generate wireguard configuration on apply Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 21/31] ui: fix parsing of property-strings when values contain = Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 22/31] ui: fabrics: i18n: make node loading string translatable Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 23/31] ui: fabrics: split node selector creation and config Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 24/31] ui: fabrics: edit: make ipv4/6 support generic over fabric panels Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 25/31] ui: fabrics: node: make ipv4/6 support generic over edit panels Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 26/31] ui: fabrics: interface: " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 27/31] ui: fabrics: wireguard: add interface edit panel Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 28/31] ui: fabrics: wireguard: add node " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 29/31] ui: fabrics: wireguard: add fabric " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 30/31] ui: fabrics: hook up wireguard components Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 31/31] fabrics: node edit: add option to include wireguard interfaces Stefan Hanreich
2026-05-07 14:08 ` partially-applied: [PATCH cluster/manager/network/proxmox{,-ve-rs,-perl-rs} v4 00/31] Add WireGuard as protocol to SDN fabrics Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=efea7f6d-ceff-45d0-a21e-b671b33a52b2@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=c.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox