TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2024-11-29 04:55:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

ipn,tailcfg: transmit NodeID in tka init RPCs

Browse Source 
Needed to identify the node. A serverside-check the machine key (used
to authenticate the noise session) is that of the specified NodeID
ensures the authenticity of the request.

Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
Tom DNetto 2022-08-22 14:39:07 -07:00 committed by Tom
parent a78f8fa701
commit 039def3b50
2 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ipn/ipnlocal/network-lock.go
View File

@ -20,6 +20,7 @@
"tailscale.com/tailcfg"
"tailscale.com/tka"
"tailscale.com/types/key"
"tailscale.com/types/netmap"
"tailscale.com/types/tkatype"
)
@ -82,6 +83,11 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
if !b.CanSupportNetworkLock() {
return errors.New("network-lock is not supported in this configuration. Did you supply a --statedir?")
}
nm := b.NetMap()
if nm == nil {
return errors.New("no netmap: are you logged into tailscale?")
}
// Generates a genesis AUM representing trust in the provided keys.
// We use an in-memory tailchonk because we don't want to commit to
@ -102,7 +108,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
}
// Phase 1/2 of initialization: Transmit the genesis AUM to Control.
initResp, err := b.tkaInitBegin(genesisAUM)
initResp, err := b.tkaInitBegin(nm, genesisAUM)
if err != nil {
return fmt.Errorf("tka init-begin RPC: %w", err)
}
@ -123,7 +129,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
}
// Finalize enablement by transmitting signature for all nodes to Control.
_, err = b.tkaInitFinish(sigs)
_, err = b.tkaInitFinish(nm, sigs)
return err
}
@ -145,9 +151,10 @@ func signNodeKey(nk key.NodePublic, signer key.NLPrivate) (*tka.NodeKeySignature
return &sig, nil
}
func (b *LocalBackend) tkaInitBegin(aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
func (b *LocalBackend) tkaInitBegin(nm *netmap.NetworkMap, aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
var req bytes.Buffer
if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitBeginRequest{
NodeID: nm.SelfNode.ID,
GenesisAUM: aum.Serialize(),
}); err != nil {
return nil, fmt.Errorf("encoding request: %v", err)
@ -185,9 +192,10 @@ func (b *LocalBackend) tkaInitBegin(aum tka.AUM) (*tailcfg.TKAInitBeginResponse,
}
}
func (b *LocalBackend) tkaInitFinish(nks []tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
func (b *LocalBackend) tkaInitFinish(nm *netmap.NetworkMap, nks []tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
var req bytes.Buffer
if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitFinishRequest{
NodeID: nm.SelfNode.ID,
Signatures: nks,
}); err != nil {
return nil, fmt.Errorf("encoding request: %v", err)

2
tailcfg/tailcfg.go
View File

@ -1845,6 +1845,8 @@ type TKAInitBeginResponse struct {
// TKAInitFinishRequest finalizes initialization of the tailnet key authority
// by submitting node-key signatures for all existing nodes.
type TKAInitFinishRequest struct {
NodeID NodeID
Signatures []tkatype.MarshaledSignature
}