diff --git a/cmd/tl-longchain/tl-longchain.go b/cmd/tl-longchain/tl-longchain.go new file mode 100644 index 000000000..c92714505 --- /dev/null +++ b/cmd/tl-longchain/tl-longchain.go @@ -0,0 +1,93 @@ +// Copyright (c) Tailscale Inc & AUTHORS +// SPDX-License-Identifier: BSD-3-Clause + +// Program tl-longchain prints commands to re-sign Tailscale nodes that have +// long rotation signature chains. +// +// There is an implicit limit on the number of rotation signatures that can +// be chained before the signature becomes too long. This program helps +// tailnet admins to identify nodes that have signatures with long chains and +// prints commands to re-sign those node keys with a fresh direct signature. +// Commands are printed to stdout, while log messages are printed to stderr. +// +// Note that the Tailscale client this command is executed on must have +// ACL visibility to all other nodes to be able to see their signatures. +// https://tailscale.com/kb/1087/device-visibility +package main + +import ( + "context" + "flag" + "fmt" + "log" + "time" + + "tailscale.com/client/tailscale" + "tailscale.com/ipn/ipnstate" + "tailscale.com/tka" + "tailscale.com/types/key" +) + +var ( + flagSocket = flag.String("socket", "", "custom path to tailscaled socket") + maxRotations = flag.Int("rotations", 10, "number of rotation signatures before re-signing (max 16)") + showFiltered = flag.Bool("show-filtered", false, "include nodes with invalid signatures") +) + +func main() { + flag.Parse() + + lc := tailscale.LocalClient{Socket: *flagSocket} + if lc.Socket != "" { + lc.UseSocketOnly = true + } + + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + st, err := lc.NetworkLockStatus(ctx) + if err != nil { + log.Fatalf("could not get Tailnet Lock status: %v", err) + } + if !st.Enabled { + log.Print("Tailnet Lock is not enabled") + return + } + print("Self", *st.NodeKey, *st.NodeKeySignature) + if len(st.VisiblePeers) > 0 { + log.Print("Visible peers with valid signatures:") + for _, peer := range st.VisiblePeers { + print(peerInfo(peer), peer.NodeKey, peer.NodeKeySignature) + } + } + if *showFiltered && len(st.FilteredPeers) > 0 { + log.Print("Visible peers with invalid signatures:") + for _, peer := range st.FilteredPeers { + print(peerInfo(peer), peer.NodeKey, peer.NodeKeySignature) + } + } +} + +// peerInfo returns a string with information about a peer. +func peerInfo(peer *ipnstate.TKAPeer) string { + return fmt.Sprintf("Peer %s (%s) nodeid=%s, current signature kind=%v", peer.Name, peer.TailscaleIPs[0], peer.StableID, peer.NodeKeySignature.SigKind) +} + +// print prints a message about a node key signature and a re-signing command if needed. +func print(info string, nodeKey key.NodePublic, sig tka.NodeKeySignature) { + if l := chainLength(sig); l > *maxRotations { + log.Printf("%s: chain length %d, printing command to re-sign", info, l) + wrapping, _ := sig.UnverifiedWrappingPublic() + fmt.Printf("tailscale lock sign %s %s\n", nodeKey, key.NLPublicFromEd25519Unsafe(wrapping).CLIString()) + } else { + log.Printf("%s: does not need re-signing", info) + } +} + +// chainLength returns the length of the rotation signature chain. +func chainLength(sig tka.NodeKeySignature) int { + if sig.SigKind != tka.SigRotation { + return 1 + } + return 1 + chainLength(*sig.Nested) +} diff --git a/ipn/ipnlocal/network-lock.go b/ipn/ipnlocal/network-lock.go index 90d3e30e7..6b64ea625 100644 --- a/ipn/ipnlocal/network-lock.go +++ b/ipn/ipnlocal/network-lock.go @@ -53,7 +53,7 @@ type tkaState struct { profile ipn.ProfileID authority *tka.Authority storage *tka.FS - filtered []ipnstate.TKAFilteredPeer + filtered []ipnstate.TKAPeer } // tkaFilterNetmapLocked checks the signatures on each node key, dropping @@ -99,7 +99,7 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { // nm.Peers is ordered, so deletion must be order-preserving. if len(toDelete) > 0 || len(obsoleteByRotation) > 0 { peers := make([]tailcfg.NodeView, 0, len(nm.Peers)) - filtered := make([]ipnstate.TKAFilteredPeer, 0, len(toDelete)+len(obsoleteByRotation)) + filtered := make([]ipnstate.TKAPeer, 0, len(toDelete)+len(obsoleteByRotation)) for i, p := range nm.Peers { if !toDelete[i] && !obsoleteByRotation.Contains(p.Key()) { peers = append(peers, p) @@ -108,20 +108,7 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { b.logf("Network lock is dropping peer %v(%v) due to key rotation", p.ID(), p.StableID()) } // Record information about the node we filtered out. - fp := ipnstate.TKAFilteredPeer{ - Name: p.Name(), - ID: p.ID(), - StableID: p.StableID(), - TailscaleIPs: make([]netip.Addr, p.Addresses().Len()), - NodeKey: p.Key(), - } - for i := range p.Addresses().Len() { - addr := p.Addresses().At(i) - if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.Addr()) { - fp.TailscaleIPs[i] = addr.Addr() - } - } - filtered = append(filtered, fp) + filtered = append(filtered, tkaStateFromPeer(p)) } } nm.Peers = peers @@ -546,11 +533,17 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus { } } - filtered := make([]*ipnstate.TKAFilteredPeer, len(b.tka.filtered)) + filtered := make([]*ipnstate.TKAPeer, len(b.tka.filtered)) for i := range len(filtered) { filtered[i] = b.tka.filtered[i].Clone() } + visible := make([]*ipnstate.TKAPeer, len(b.netMap.Peers)) + for i, p := range b.netMap.Peers { + s := tkaStateFromPeer(p) + visible[i] = &s + } + stateID1, _ := b.tka.authority.StateIDs() return &ipnstate.NetworkLockStatus{ @@ -562,10 +555,32 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus { NodeKeySignature: nodeKeySignature, TrustedKeys: outKeys, FilteredPeers: filtered, + VisiblePeers: visible, StateID: stateID1, } } +func tkaStateFromPeer(p tailcfg.NodeView) ipnstate.TKAPeer { + fp := ipnstate.TKAPeer{ + Name: p.Name(), + ID: p.ID(), + StableID: p.StableID(), + TailscaleIPs: make([]netip.Addr, 0, p.Addresses().Len()), + NodeKey: p.Key(), + } + for i := range p.Addresses().Len() { + addr := p.Addresses().At(i) + if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.Addr()) { + fp.TailscaleIPs = append(fp.TailscaleIPs, addr.Addr()) + } + } + var decoded tka.NodeKeySignature + if err := decoded.Unserialize(p.KeySignature().AsSlice()); err == nil { + fp.NodeKeySignature = decoded + } + return fp +} + // NetworkLockInit enables network-lock for the tailnet, with the tailnets' // key authority initialized to trust the provided keys. // diff --git a/ipn/ipnstate/ipnstate.go b/ipn/ipnstate/ipnstate.go index b38d75e5a..9f8bd34f6 100644 --- a/ipn/ipnstate/ipnstate.go +++ b/ipn/ipnstate/ipnstate.go @@ -26,7 +26,7 @@ "tailscale.com/version" ) -//go:generate go run tailscale.com/cmd/cloner -clonefunc=false -type=TKAFilteredPeer +//go:generate go run tailscale.com/cmd/cloner -clonefunc=false -type=TKAPeer // Status represents the entire state of the IPN network. type Status struct { @@ -94,15 +94,14 @@ type TKAKey struct { Votes uint } -// TKAFilteredPeer describes a peer which was removed from the netmap -// (i.e. no connectivity) because it failed tailnet lock -// checks. -type TKAFilteredPeer struct { - Name string // DNS - ID tailcfg.NodeID - StableID tailcfg.StableNodeID - TailscaleIPs []netip.Addr // Tailscale IP(s) assigned to this node - NodeKey key.NodePublic +// TKAPeer describes a peer and its network lock details. +type TKAPeer struct { + Name string // DNS + ID tailcfg.NodeID + StableID tailcfg.StableNodeID + TailscaleIPs []netip.Addr // Tailscale IP(s) assigned to this node + NodeKey key.NodePublic + NodeKeySignature tka.NodeKeySignature } // NetworkLockStatus represents whether network-lock is enabled, @@ -134,10 +133,14 @@ type NetworkLockStatus struct { // to network-lock. TrustedKeys []TKAKey + // VisiblePeers describes peers which are visible in the netmap that + // have valid Tailnet Lock signatures signatures. + VisiblePeers []*TKAPeer + // FilteredPeers describes peers which were removed from the netmap // (i.e. no connectivity) because they failed tailnet lock // checks. - FilteredPeers []*TKAFilteredPeer + FilteredPeers []*TKAPeer // StateID is a nonce associated with the network lock authority, // generated upon enablement. This field is not populated if the diff --git a/ipn/ipnstate/ipnstate_clone.go b/ipn/ipnstate/ipnstate_clone.go index 262daf3f2..20ae43c5f 100644 --- a/ipn/ipnstate/ipnstate_clone.go +++ b/ipn/ipnstate/ipnstate_clone.go @@ -9,26 +9,29 @@ "net/netip" "tailscale.com/tailcfg" + "tailscale.com/tka" "tailscale.com/types/key" ) -// Clone makes a deep copy of TKAFilteredPeer. +// Clone makes a deep copy of TKAPeer. // The result aliases no memory with the original. -func (src *TKAFilteredPeer) Clone() *TKAFilteredPeer { +func (src *TKAPeer) Clone() *TKAPeer { if src == nil { return nil } - dst := new(TKAFilteredPeer) + dst := new(TKAPeer) *dst = *src dst.TailscaleIPs = append(src.TailscaleIPs[:0:0], src.TailscaleIPs...) + dst.NodeKeySignature = *src.NodeKeySignature.Clone() return dst } // A compilation failure here means this code must be regenerated, with the command at the top of this file. -var _TKAFilteredPeerCloneNeedsRegeneration = TKAFilteredPeer(struct { - Name string - ID tailcfg.NodeID - StableID tailcfg.StableNodeID - TailscaleIPs []netip.Addr - NodeKey key.NodePublic +var _TKAPeerCloneNeedsRegeneration = TKAPeer(struct { + Name string + ID tailcfg.NodeID + StableID tailcfg.StableNodeID + TailscaleIPs []netip.Addr + NodeKey key.NodePublic + NodeKeySignature tka.NodeKeySignature }{}) diff --git a/tka/sig.go b/tka/sig.go index 6c68a588e..d3fe0ff6c 100644 --- a/tka/sig.go +++ b/tka/sig.go @@ -19,6 +19,8 @@ "tailscale.com/types/tkatype" ) +//go:generate go run tailscale.com/cmd/cloner -clonefunc=false -type=NodeKeySignature + // SigKind describes valid NodeKeySignature types. type SigKind uint8 diff --git a/tka/tka_clone.go b/tka/tka_clone.go new file mode 100644 index 000000000..323a824fe --- /dev/null +++ b/tka/tka_clone.go @@ -0,0 +1,32 @@ +// Copyright (c) Tailscale Inc & AUTHORS +// SPDX-License-Identifier: BSD-3-Clause + +// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT. + +package tka + +// Clone makes a deep copy of NodeKeySignature. +// The result aliases no memory with the original. +func (src *NodeKeySignature) Clone() *NodeKeySignature { + if src == nil { + return nil + } + dst := new(NodeKeySignature) + *dst = *src + dst.Pubkey = append(src.Pubkey[:0:0], src.Pubkey...) + dst.KeyID = append(src.KeyID[:0:0], src.KeyID...) + dst.Signature = append(src.Signature[:0:0], src.Signature...) + dst.Nested = src.Nested.Clone() + dst.WrappingPubkey = append(src.WrappingPubkey[:0:0], src.WrappingPubkey...) + return dst +} + +// A compilation failure here means this code must be regenerated, with the command at the top of this file. +var _NodeKeySignatureCloneNeedsRegeneration = NodeKeySignature(struct { + SigKind SigKind + Pubkey []byte + KeyID []byte + Signature []byte + Nested *NodeKeySignature + WrappingPubkey []byte +}{})