diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-03-20 22:00:10 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-03-20 22:00:10 +0100 |
| commit | 8021bdd62e4142caf4a5e82000c8ca3da99fcae4 (patch) | |
| tree | adb02422a3cfe1fb17613f8523a925ab5e5c6204 /interface-definitions | |
| parent | 95af91597c94856a38722daa5ea388646f9b735f (diff) | |
| download | vyos-1x-8021bdd62e4142caf4a5e82000c8ca3da99fcae4.tar.gz vyos-1x-8021bdd62e4142caf4a5e82000c8ca3da99fcae4.zip | |
wireguard: T7246: verify Base64 encoded 32byte boundary on keys
Not 31 bytes or 33 bytes, but exactly 32. This matters, because 32 does not
divide evenly by .75, so there's a padding character and the penultimate
character does not include the whole base64 alphabet.
Extend the base64 validator with an optional argument to define the length
to match of the decrypted Base64 encoded string.
Source: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html
Diffstat (limited to 'interface-definitions')
| -rw-r--r-- | interface-definitions/include/constraint/wireguard-keys.xml.i | 6 | ||||
| -rw-r--r-- | interface-definitions/interfaces_wireguard.xml.in | 19 |
2 files changed, 11 insertions, 14 deletions
diff --git a/interface-definitions/include/constraint/wireguard-keys.xml.i b/interface-definitions/include/constraint/wireguard-keys.xml.i new file mode 100644 index 000000000..f59c86087 --- /dev/null +++ b/interface-definitions/include/constraint/wireguard-keys.xml.i @@ -0,0 +1,6 @@ +<!-- include start from constraint/wireguard-keys.xml.i --> +<constraint> + <validator name="base64" argument="--decoded-len 32"/> +</constraint> +<constraintErrorMessage>Key must be Base64-encoded with 32 bytes in length</constraintErrorMessage> +<!-- include end --> diff --git a/interface-definitions/interfaces_wireguard.xml.in b/interface-definitions/interfaces_wireguard.xml.in index 4f8b6c751..33cb5864a 100644 --- a/interface-definitions/interfaces_wireguard.xml.in +++ b/interface-definitions/interfaces_wireguard.xml.in @@ -56,10 +56,7 @@ <leafNode name="private-key"> <properties> <help>Base64 encoded private key</help> - <constraint> - <validator name="base64"/> - </constraint> - <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage> + #include <include/constraint/wireguard-keys.xml.i> </properties> </leafNode> <tagNode name="peer"> @@ -75,20 +72,14 @@ #include <include/generic-description.xml.i> <leafNode name="public-key"> <properties> - <help>base64 encoded public key</help> - <constraint> - <validator name="base64"/> - </constraint> - <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage> + <help>Base64 encoded public key</help> + #include <include/constraint/wireguard-keys.xml.i> </properties> </leafNode> <leafNode name="preshared-key"> <properties> - <help>base64 encoded preshared key</help> - <constraint> - <validator name="base64"/> - </constraint> - <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage> + <help>Base64 encoded preshared key</help> + #include <include/constraint/wireguard-keys.xml.i> </properties> </leafNode> <leafNode name="allowed-ips"> |