Security-focused release of go-libp2p-core

We’ll be releasing a security-focused release of go-libp2p-core, v0.2.0, that brings some of libp2p’s cryptographic practices up to industry standards. While these changes don’t break existing APIs, they do incur breakage through the following changes:

  • libp2p will return an error when a user attempts to generate RSA keys of less than 2048 bits. We recommend switching tests to use go-libp2p-testing’s latest release, which defaults to Ed25519. If, for some reason, you must use RSA keys of less than 2048 bits in a test, you may set the environment variable LIBP2P_ALLOW_WEAK_RSA_KEYS to any non-empty value (e.g. “on”), which will lower the minimum requirement to 512 bits (landing in v0.2.0).
  • libp2p no longer supports the Blowfish cipher (landing in a follow-up release).

Additional changes that have landed recently include:

  • v0.0.7 which switches all key comparisons to use constant-time comparisons.
  • v0.0.8 which returns an error rather than panicking when an unknown curve type is passed to our elliptic curve key generating functions.
  • v0.1.0 which introduces a new implementation of the insecure transport (FOR TESTING USE ONLY) which conforms to the recently published specification for plaintext key exchange.
2 Likes

An update: these changes have been propagated up to the new go-libp2p v0.3.0 release.