wireguard: T7246: verify base64 encorded 32byte boundary on keys

c-po · c-po · commit 4a17dcf12276 · 2025-03-17T21:02:50.000+01:00
It's probably wisest to ignore differences between public keys and private keys and set aside any structure they might have by virtue of being related to elliptic curves, and instead just regard them as 32-byte strings encoded in base64. Not 31 bytes or 33 bytes, but exactly 32. This matters, because 32 does not divide evenly by .75, so there's a padding character and the penultimate character does not include the whole base64 alphabet. 43 base64 chars can represent up to 258bits, which is more than 256bits. So, you can either validate this with a base64 parser and checking that it returns exactly 32 bytes, or you can match against this simple regex: ^[A-Za-z0-9+/]{42}[A|E|I|M|Q|U|Y|c|g|k|o|s|w|4|8|0]=$ Source: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html
diff --git a/interface-definitions/include/constraint/wireguard-keys.xml.i b/interface-definitions/include/constraint/wireguard-keys.xml.i
@@ -0,0 +1,3 @@
+<!-- include start from constraint/wireguard-keys.xml.i -->
+<regex>[A-Za-z0-9+/]{42}[A|E|I|M|Q|U|Y|c|g|k|o|s|w|4|8|0]=</regex>
+<!-- include end -->
diff --git a/interface-definitions/interfaces_wireguard.xml.in b/interface-definitions/interfaces_wireguard.xml.in
@@ -57,7 +57,7 @@
             <properties>
               <help>Base64 encoded private key</help>
               <constraint>
-                <validator name="base64"/>
+                #include <include/constraint/wireguard-keys.xml.i>
               </constraint>
               <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
             </properties>
@@ -77,7 +77,7 @@
                 <properties>
                   <help>base64 encoded public key</help>
                   <constraint>
-                    <validator name="base64"/>
+                    #include <include/constraint/wireguard-keys.xml.i>
                   </constraint>
                   <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
                 </properties>
@@ -86,7 +86,7 @@
                 <properties>
                   <help>base64 encoded preshared key</help>
                   <constraint>
-                    <validator name="base64"/>
+                    #include <include/constraint/wireguard-keys.xml.i>
                   </constraint>
                   <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
                 </properties>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+<!-- include start from constraint/wireguard-keys.xml.i -->`
	`2`	`+<regex>[A-Za-z0-9+/]{42}[A\|E\|I\|M\|Q\|U\|Y\|c\|g\|k\|o\|s\|w\|4\|8\|0]=</regex>`
	`3`	`+<!-- include end -->`