From 8021bdd62e4142caf4a5e82000c8ca3da99fcae4 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 20 Mar 2025 22:00:10 +0100 Subject: wireguard: T7246: verify Base64 encoded 32byte boundary on keys Not 31 bytes or 33 bytes, but exactly 32. This matters, because 32 does not divide evenly by .75, so there's a padding character and the penultimate character does not include the whole base64 alphabet. Extend the base64 validator with an optional argument to define the length to match of the decrypted Base64 encoded string. Source: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html --- .../include/constraint/wireguard-keys.xml.i | 6 ++++++ interface-definitions/interfaces_wireguard.xml.in | 19 +++++-------------- 2 files changed, 11 insertions(+), 14 deletions(-) create mode 100644 interface-definitions/include/constraint/wireguard-keys.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/constraint/wireguard-keys.xml.i b/interface-definitions/include/constraint/wireguard-keys.xml.i new file mode 100644 index 000000000..f59c86087 --- /dev/null +++ b/interface-definitions/include/constraint/wireguard-keys.xml.i @@ -0,0 +1,6 @@ + + + + +Key must be Base64-encoded with 32 bytes in length + diff --git a/interface-definitions/interfaces_wireguard.xml.in b/interface-definitions/interfaces_wireguard.xml.in index 4f8b6c751..33cb5864a 100644 --- a/interface-definitions/interfaces_wireguard.xml.in +++ b/interface-definitions/interfaces_wireguard.xml.in @@ -56,10 +56,7 @@ Base64 encoded private key - - - - Key is not base64-encoded + #include @@ -75,20 +72,14 @@ #include - base64 encoded public key - - - - Key is not base64-encoded + Base64 encoded public key + #include - base64 encoded preshared key - - - - Key is not base64-encoded + Base64 encoded preshared key + #include -- cgit v1.2.3