Certain private keys being mangled by wg on FreeBSD

Jason A. Donenfeld Jason at zx2c4.com
Sun Jun 6 15:09:01 UTC 2021


It looks like whatever is generating those private keys is not
clamping them. Specifically, all private keys should undergo this
transformation:

        key[0] &= 248;
        key[31] = (key[31] & 127) | 64;

In your case, your `Lm` prefix (first byte: 0x2c) is being anded with
248, and thus turns into KG (first byte: 0x28).

The kernel properly clamps the keys on input, though, in case
generators forget to clamp them. So what you're seeing is correct
behavior.


More information about the WireGuard mailing list