feat!: remove DEFAULT_CIPHER/DEFAULT_NONCE public constants#75
Merged
Conversation
These constants seeded a world-known XChaCha20-Poly1305 key and a
fixed 24-byte nonce. Any node that started without explicit
`--cipher` / `--nonce` configuration encrypted all delegate secrets
under this pair. Combined with the per-delegate nonce reuse fixed in
freenet-core PR #4143, the result was that default-configured nodes'
delegate secrets were trivially recoverable by anyone who could read
the secrets directory.
The wire format `RegisterDelegate { cipher: [u8; 32], nonce: [u8; 24] }`
is unchanged — only the named public constants are removed. Servers
running freenet-core >= 0.2.59 generate per-write random nonces and
ignore the registration nonce except as a legacy-decrypt fallback for
pre-0.2.59 on-disk files. Callers that previously named the consts
must generate a fresh 32-byte cipher per delegate (e.g. via
`XChaCha20Poly1305::generate_key(&mut OsRng)`) and may pass any 24-byte
nonce value (it is no longer used for new writes).
Bumps stdlib to 0.8.0 since dropping public consts is a breaking
change for any consumer that named them. Wire-format pin tests
(`*_wire_format_is_stable`) are unaffected because the enum variant
discriminants are untouched.
Refs: freenet/freenet-core#4137, freenet/freenet-core#4139
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
DelegateRequest::DEFAULT_CIPHER([u8; 32]) andDelegateRequest::DEFAULT_NONCE([u8; 24]) seeded a world-known XChaCha20-Poly1305 key and a fixed 24-byte nonce. Any freenet node that started without explicit--cipher/--nonceconfiguration encrypted all delegate secrets under this pair. Combined with the per-delegate nonce reuse fixed in freenet-core PR #4143, the result was that default-configured nodes' delegate secrets were trivially recoverable by anyone who could read the secrets directory.PR #4143 closed the catastrophic-reuse half (per-write random nonce + on-disk versioned format with legacy fallback). This stdlib PR closes the world-known-key half so the next freenet-core PR can replace the
DEFAULT_CIPHERfallback with auto-generated, per-node persisted ciphers.Solution
Delete the two
pub constdeclarations fromDelegateRequest. The wire formatRegisterDelegate { cipher: [u8; 32], nonce: [u8; 24] }is unchanged — only the named public constants are removed. Servers running freenet-core >= 0.2.59 generate per-write random nonces and treat the registration nonce as a read-side legacy fallback only.Callers that previously named the consts must now:
XChaCha20Poly1305::generate_key(&mut OsRng)).[0u8; 24]); it is no longer used by the server for new writes.Version bump
0.7.0→0.8.0. Pre-1.0 semver: removing public consts is a breaking change for any consumer that named them, so the minor version bumps.Wire-format pin tests
Untouched. The enum variant discriminants for
DelegateRequestare not reordered, and the field shape ofRegisterDelegateis unchanged.*_wire_format_is_stabletests continue to pass without modification.Testing
cargo test --all— 19 passed, 0 failed; doc-tests pass.cargo fmt --all --checkclean.cargo clippy --all -- -D warningsclean.Next
After merge +
cargo publish 0.8.0to crates.io, freenet-core PR B2 will:freenet-stdlib = "0.8.0".DEFAULT_CIPHERfallback incrates/core/src/config/secret.rs::SecretArgs::buildwith an auto-generated cipher persisted tosecrets_dir/delegate_cipher(mirroring the existingtransport_keypairauto-persist).--nonceCLI flag (nonces are now per-write).Refs: freenet/freenet-core#4137 (tracker), freenet/freenet-core#4139 (sub-issue).