TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-12 05:37:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

ipn/ipnlocal,tka: generate a nonce for each TKA

Browse Source 
Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
Tom DNetto
2022-11-16 15:38:25 -08:00
committed by Tom
parent 6708f9a93f
commit aeb80bf8cb
3 changed files with 41 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ipn/ipnlocal/network-lock.go
View File

@@ -6,7 +6,9 @@ package ipnlocal
import (
"bytes"
"crypto/rand"
"context"
"encoding/binary"
"encoding/json"
"errors"
"fmt"
@@ -418,6 +420,11 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
return errors.New("no node-key: is tailscale logged in?")
}
var entropy [16]byte
if _, err := rand.Read(entropy[:]); err != nil {
return err
}
// Generates a genesis AUM representing trust in the provided keys.
// We use an in-memory tailchonk because we don't want to commit to
// the filesystem until we've finished the initialization sequence,
@@ -429,6 +436,9 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
// - DisablementSecret: value needed to disable.
// - DisablementValue: the KDF of the disablement secret, a public value.
DisablementSecrets: disablementValues,
StateID1: binary.LittleEndian.Uint64(entropy[:8]),
StateID2: binary.LittleEndian.Uint64(entropy[8:]),
}, nlPriv)
if err != nil {
return fmt.Errorf("tka.Create: %v", err)