wireguard: T7246: verify Base64 encoded 32byte boundary on keys

Not 31 bytes or 33 bytes, but exactly 32. This matters, because 32 does not
divide evenly by .75, so there's a padding character and the penultimate
character does not include the whole base64 alphabet.

Extend the base64 validator with an optional argument to define the length
to match of the decrypted Base64 encoded string.

Source: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html

3 files changed, 24 insertions, 23 deletions

diff --git a/interface-definitions/include/constraint/wireguard-keys.xml.i b/interface-definitions/include/constraint/wireguard-keys.xml.i
new file mode 100644
index 000000000..f59c86087
--- /dev/null
+++ b/interface-definitions/include/constraint/wireguard-keys.xml.i
@@ -0,0 +1,6 @@
+<!-- include start from constraint/wireguard-keys.xml.i -->
+<constraint>
+  <validator name="base64" argument="--decoded-len 32"/>
+</constraint>
+<constraintErrorMessage>Key must be Base64-encoded with 32 bytes in length</constraintErrorMessage>
+<!-- include end -->
diff --git a/interface-definitions/interfaces_wireguard.xml.in b/interface-definitions/interfaces_wireguard.xml.in
index 4f8b6c751..33cb5864a 100644
--- a/interface-definitions/interfaces_wireguard.xml.in
+++ b/interface-definitions/interfaces_wireguard.xml.in
@@ -56,10 +56,7 @@
           <leafNode name="private-key">
             <properties>
               <help>Base64 encoded private key</help>
-              <constraint>
-                <validator name="base64"/>
-              </constraint>
-              <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
+              #include <include/constraint/wireguard-keys.xml.i>
             </properties>
           </leafNode>
           <tagNode name="peer">
@@ -75,20 +72,14 @@
               #include <include/generic-description.xml.i>
               <leafNode name="public-key">
                 <properties>
-                  <help>base64 encoded public key</help>
-                  <constraint>
-                    <validator name="base64"/>
-                  </constraint>
-                  <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
+                  <help>Base64 encoded public key</help>
+                  #include <include/constraint/wireguard-keys.xml.i>
                 </properties>
               </leafNode>
               <leafNode name="preshared-key">
                 <properties>
-                  <help>base64 encoded preshared key</help>
-                  <constraint>
-                    <validator name="base64"/>
-                  </constraint>
-                  <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
+                  <help>Base64 encoded preshared key</help>
+                  #include <include/constraint/wireguard-keys.xml.i>
                 </properties>
               </leafNode>
               <leafNode name="allowed-ips">
diff --git a/src/validators/base64 b/src/validators/base64
index e2b1e730d..a54168ef7 100755
--- a/src/validators/base64
+++ b/src/validators/base64
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -15,13 +15,17 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import base64
-from sys import argv
+import argparse
 
-if __name__ == '__main__':
-    if len(argv) != 2:
-        exit(1)
-    try:
-        base64.b64decode(argv[1])
-    except:
+parser = argparse.ArgumentParser(description="Validate base64 input.")
+parser.add_argument("base64", help="Base64 encoded string to validate")
+parser.add_argument("--decoded-len", type=int, help="Optional list of valid lengths for the decoded input")
+args = parser.parse_args()
+
+try:
+    decoded = base64.b64decode(args.base64)
+    if args.decoded_len and len(decoded) != args.decoded_len:
         exit(1)
-    exit(0)
+except:
+    exit(1)
+exit(0)