wireguard: T7246: verify Base64 encoded 32byte boundary on keys

Not 31 bytes or 33 bytes, but exactly 32. This matters, because 32 does not
divide evenly by .75, so there's a padding character and the penultimate
character does not include the whole base64 alphabet.

Extend the base64 validator with an optional argument to define the length
to match of the decrypted Base64 encoded string.

Source: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html

1 files changed, 13 insertions, 9 deletions

diff --git a/src/validators/base64 b/src/validators/base64
index e2b1e730d..a54168ef7 100755
--- a/src/validators/base64
+++ b/src/validators/base64
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -15,13 +15,17 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import base64
-from sys import argv
+import argparse
 
-if __name__ == '__main__':
-    if len(argv) != 2:
-        exit(1)
-    try:
-        base64.b64decode(argv[1])
-    except:
+parser = argparse.ArgumentParser(description="Validate base64 input.")
+parser.add_argument("base64", help="Base64 encoded string to validate")
+parser.add_argument("--decoded-len", type=int, help="Optional list of valid lengths for the decoded input")
+args = parser.parse_args()
+
+try:
+    decoded = base64.b64decode(args.base64)
+    if args.decoded_len and len(decoded) != args.decoded_len:
         exit(1)
-    exit(0)
+except:
+    exit(1)
+exit(0)