control/noise: include the protocol version in the Noise prologue.

Signed-off-by: David Anderson <danderson@tailscale.com>

control/noise/handshake.go

@@ -24,7 +24,12 @@
 
 const (
 	protocolName = "Noise_IK_25519_ChaChaPoly_BLAKE2s"
-	invalidNonce = ^uint64(0)
+	// protocolVersion is the version string that gets included as the
+	// Noise "prologue" in the handshake. It exists so that we can
+	// ensure that peer have agreed on the protocol version they're
+	// executing, to defeat some MITM protocol downgrade attacks.
+	protocolVersion = "Tailscale Control Protocol v1"
+	invalidNonce    = ^uint64(0)
 )
 
 // Client initiates a Noise client handshake, returning the resulting
@@ -227,8 +232,7 @@ func (s *symmetricState) Initialize() {
 	s.k = [chp.KeySize]byte{}
 	s.n = invalidNonce
 	s.mixer = newBLAKE2s()
-	// Mix in an empty prologue.
+	s.MixHash([]byte(protocolVersion))
-	s.MixHash(nil)
 }
 
 // MixHash updates s.h to be BLAKE2s(s.h || data), where || is

control/noise/interop_test.go

@@ -120,7 +120,7 @@ func noiseExplorerClient(conn net.Conn, controlKey key.Public, machineKey key.Pr
 		private_key: machineKey,
 		public_key:  machineKey.Public(),
 	}
-	session := InitSession(true, nil, mk, controlKey)
+	session := InitSession(true, []byte(protocolVersion), mk, controlKey)
 
 	_, msg1 := SendMessage(&session, nil)
 	if _, err := conn.Write(msg1.ne[:]); err != nil {
@@ -182,7 +182,7 @@ func noiseExplorerServer(conn net.Conn, controlKey key.Private, wantMachineKey k
 		private_key: controlKey,
 		public_key:  controlKey.Public(),
 	}
-	session := InitSession(false, nil, mk, [32]byte{})
+	session := InitSession(false, []byte(protocolVersion), mk, [32]byte{})
 
 	var buf [1024]byte
 	if _, err := io.ReadFull(conn, buf[:96]); err != nil {