Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wireguard: T7246: verify Base64 encoded 32byte boundary on keys #4402

Merged
merged 1 commit into from
Mar 20, 2025
Merged

wireguard: T7246: verify Base64 encoded 32byte boundary on keys #4402

merged 1 commit into from
Mar 20, 2025
+24 −23

Conversation

c-po
Copy link
Member

@c-po c-po commented Mar 17, 2025
edited
Loading

Change summary

Not 31 bytes or 33 bytes, but exactly 32. This matters, because 32 does not divide evenly by .75, so there's a padding character and the penultimate character does not include the whole base64 alphabet.

Extend the base64 validator with an optional argument to define the length to match of the decrypted Base64 encoded string.

Source: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

set interfaces wireguard wg01 peer to-wg02 public-key '//3/sDdozmikDxtYPw0MMYeuM2WPX7cgLnSH6L5+BQU='

vyos@vyos# set interfaces wireguard wg01 peer to-wg02 public-key '//3/sDdozmikDxtYPw0MMYeuM2WPX7cgLnSH6L5+QU='




  Key must be Base64-encoded with 32 bytes in length
  Value validation failed
  Set failed

vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_pki.py
test_certificate_eapol_update (__main__.TestPKI.test_certificate_eapol_update) ... ok
test_certificate_https_update (__main__.TestPKI.test_certificate_https_update) ... ok
test_certificate_in_use (__main__.TestPKI.test_certificate_in_use) ... ok
test_invalid_ca_valid_certificate (__main__.TestPKI.test_invalid_ca_valid_certificate) ... ok
test_valid_pki (__main__.TestPKI.test_valid_pki) ... ok

----------------------------------------------------------------------
Ran 5 tests in 20.373s

OK

vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireguard.py
test_add_multiple_ip_addresses (__main__.WireGuardInterfaceTest.test_add_multiple_ip_addresses) ... ok
test_add_single_ip_address (__main__.WireGuardInterfaceTest.test_add_single_ip_address) ... ok
test_add_to_invalid_vrf (__main__.WireGuardInterfaceTest.test_add_to_invalid_vrf) ... ok
test_dhcp_client_options (__main__.WireGuardInterfaceTest.test_dhcp_client_options) ... skipped 'not supported'
test_dhcp_disable_interface (__main__.WireGuardInterfaceTest.test_dhcp_disable_interface) ... skipped 'not supported'
test_dhcp_vrf (__main__.WireGuardInterfaceTest.test_dhcp_vrf) ... skipped 'not supported'
test_dhcpv6_client_options (__main__.WireGuardInterfaceTest.test_dhcpv6_client_options) ... skipped 'not supported'
test_dhcpv6_vrf (__main__.WireGuardInterfaceTest.test_dhcpv6_vrf) ... skipped 'not supported'
test_dhcpv6pd_auto_sla_id (__main__.WireGuardInterfaceTest.test_dhcpv6pd_auto_sla_id) ... skipped 'not supported'
test_dhcpv6pd_manual_sla_id (__main__.WireGuardInterfaceTest.test_dhcpv6pd_manual_sla_id) ... skipped 'not supported'
test_eapol (__main__.WireGuardInterfaceTest.test_eapol) ... skipped 'not supported'
test_interface_description (__main__.WireGuardInterfaceTest.test_interface_description) ... ok
test_interface_disable (__main__.WireGuardInterfaceTest.test_interface_disable) ... ok
test_interface_ip_options (__main__.WireGuardInterfaceTest.test_interface_ip_options) ... ok
test_interface_ipv6_options (__main__.WireGuardInterfaceTest.test_interface_ipv6_options) ... ok
test_interface_mtu (__main__.WireGuardInterfaceTest.test_interface_mtu) ... ok
test_ipv6_link_local_address (__main__.WireGuardInterfaceTest.test_ipv6_link_local_address) ... ok
test_move_interface_between_vrf_instances (__main__.WireGuardInterfaceTest.test_move_interface_between_vrf_instances) ... ok
test_mtu_1200_no_ipv6_interface (__main__.WireGuardInterfaceTest.test_mtu_1200_no_ipv6_interface) ... ok
test_span_mirror (__main__.WireGuardInterfaceTest.test_span_mirror) ... skipped 'not supported'
test_vif_8021q_interfaces (__main__.WireGuardInterfaceTest.test_vif_8021q_interfaces) ... skipped 'not supported'
test_vif_8021q_lower_up_down (__main__.WireGuardInterfaceTest.test_vif_8021q_lower_up_down) ... skipped 'not supported'
test_vif_8021q_mtu_limits (__main__.WireGuardInterfaceTest.test_vif_8021q_mtu_limits) ... skipped 'not supported'
test_vif_8021q_qos_change (__main__.WireGuardInterfaceTest.test_vif_8021q_qos_change) ... skipped 'not supported'
test_vif_s_8021ad_vlan_interfaces (__main__.WireGuardInterfaceTest.test_vif_s_8021ad_vlan_interfaces) ... skipped 'not supported'
test_vif_s_protocol_change (__main__.WireGuardInterfaceTest.test_vif_s_protocol_change) ... skipped 'not supported'
test_wireguard_add_remove_peer (__main__.WireGuardInterfaceTest.test_wireguard_add_remove_peer) ... ok
test_wireguard_hostname (__main__.WireGuardInterfaceTest.test_wireguard_hostname) ... ok
test_wireguard_peer (__main__.WireGuardInterfaceTest.test_wireguard_peer) ... ok
test_wireguard_peer_pubkey_change (__main__.WireGuardInterfaceTest.test_wireguard_peer_pubkey_change) ... ok
test_wireguard_same_public_key (__main__.WireGuardInterfaceTest.test_wireguard_same_public_key) ... ok
test_wireguard_threaded (__main__.WireGuardInterfaceTest.test_wireguard_threaded) ... ok

----------------------------------------------------------------------
Ran 32 tests in 316.987s

OK (skipped=15)

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@c-po c-po requested a review from a team as a code owner March 17, 2025 20:05
@c-po c-po added bp/sagitta Create automatic backport for sagitta LTS version bp/circinus Create automatic backport for circinus labels Mar 17, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 17, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@c-po c-po marked this pull request as draft March 17, 2025 20:15
@sever-sever
Copy link
Member

sever-sever commented Mar 18, 2025
edited
Loading

As I understand, that task describes that it is a valid key '//3/sDdozmikDxtYPw0MMYeuM2WPX7cgLnSH6L5+BQU='

@c-po c-po marked this pull request as ready for review March 18, 2025 14:03
@c-po
Copy link
Member Author

c-po commented Mar 18, 2025

As I understand, that task describes that it is a valid key '//3/sDdozmikDxtYPw0MMYeuM2WPX7cgLnSH6L5+BQU='

This issue consists out of two parts. One with a more strict regex solved here in the regex and another one in the general CLI interaction in Config().get_config_dict()

@dmbaturin dmbaturin changed the title wireguard: T7246: verify base64 encorded 32byte boundary on keys wireguard: T7246: verify base64 encoded 32byte boundary on keys Mar 18, 2025
@c-po c-po changed the title wireguard: T7246: verify base64 encoded 32byte boundary on keys wireguard: T7246: verify Base64 encoded 32byte boundary on keys Mar 20, 2025
@c-po
wireguard: T7246: verify Base64 encoded 32byte boundary on keys
8021bdd 
Not 31 bytes or 33 bytes, but exactly 32. This matters, because 32 does not
divide evenly by .75, so there's a padding character and the penultimate
character does not include the whole base64 alphabet.

Extend the base64 validator with an optional argument to define the length
to match of the decrypted Base64 encoded string.

Source: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html
@c-po c-po force-pushed the wireguard-key-T7246 branch from 4a17dcf to 8021bdd Compare March 20, 2025 21:00
@c-po c-po enabled auto-merge March 20, 2025 21:04
@c-po c-po disabled auto-merge March 20, 2025 21:04
@c-po c-po merged commit f2d427b into vyos:current Mar 20, 2025
11 checks passed
@vyosbot vyosbot added mirror-initiated This PR initiated for mirror sync workflow mirror-completed and removed mirror-initiated This PR initiated for mirror sync workflow labels Mar 20, 2025
@github-actions GitHub Actions
Copy link

CI integration ❌ failed!

Details

CI logs

  • CLI Smoketests (no interfaces) ❌ failed
  • CLI Smoketests (interfaces only) ❌ failed
  • Config tests ❌ failed
  • RAID1 tests ❌ failed
  • TPM tests ❌ failed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarthurdev sarthurdev sarthurdev approved these changes

@sever-sever sever-sever sever-sever approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

Assignees

@c-po c-po

Labels
bp/circinus Create automatic backport for circinus bp/sagitta Create automatic backport for sagitta LTS version current mirror-completed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@c-po @sever-sever @sarthurdev @vyosbot