TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-10-27 11:41:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

tka: use ts_omit_tailnetlock in another spot, for ed25519consensus

Browse Source 
I noticed this while modularizing clientupdate. With this in first,
moving clientupdate to be modular removes a bunch more stuff from
the minimal build + tsnet.

Updates #17115

Change-Id: I44bd055fca65808633fd3a848b0bbc09b00ad4fa
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
2025-09-26 18:21:50 -07:00
committed by Brad Fitzpatrick
parent 9ae8155bab
commit e9dae5441e
5 changed files with 56 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/tailscaled/depaware-minbox.txt
View File

@@ -20,7 +20,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
github.com/google/nftables/expr from github.com/google/nftables+ github.com/google/nftables/expr from github.com/google/nftables+
github.com/google/nftables/internal/parseexprfunc from github.com/google/nftables+ github.com/google/nftables/internal/parseexprfunc from github.com/google/nftables+
github.com/google/nftables/xt from github.com/google/nftables/expr+ github.com/google/nftables/xt from github.com/google/nftables/expr+
github.com/hdevalence/ed25519consensus from tailscale.com/clientupdate/distsign+ github.com/hdevalence/ed25519consensus from tailscale.com/clientupdate/distsign
💣 github.com/jsimonetti/rtnetlink from tailscale.com/net/netmon 💣 github.com/jsimonetti/rtnetlink from tailscale.com/net/netmon
github.com/jsimonetti/rtnetlink/internal/unix from github.com/jsimonetti/rtnetlink github.com/jsimonetti/rtnetlink/internal/unix from github.com/jsimonetti/rtnetlink
github.com/klauspost/compress from github.com/klauspost/compress/zstd github.com/klauspost/compress from github.com/klauspost/compress/zstd

22
tka/key.go
View File

@@ -8,7 +8,6 @@ import (
"errors" "errors"
"fmt" "fmt"
"github.com/hdevalence/ed25519consensus"
"tailscale.com/types/tkatype" "tailscale.com/types/tkatype"
) )
@@ -136,24 +135,3 @@ func (k Key) StaticValidate() error {
} }
return nil return nil
} }
// Verify returns a nil error if the signature is valid over the
// provided AUM BLAKE2s digest, using the given key.
func signatureVerify(s *tkatype.Signature, aumDigest tkatype.AUMSigHash, key Key) error {
// NOTE(tom): Even if we can compute the public from the KeyID,
// its possible for the KeyID to be attacker-controlled
// so we should use the public contained in the state machine.
switch key.Kind {
case Key25519:
if len(key.Public) != ed25519.PublicKeySize {
return fmt.Errorf("ed25519 key has wrong length: %d", len(key.Public))
}
if ed25519consensus.Verify(ed25519.PublicKey(key.Public), aumDigest[:], s.Signature) {
return nil
}
return errors.New("invalid signature")
default:
return fmt.Errorf("unhandled key type: %v", key.Kind)
}
}

2
tka/tka.go
View File

@@ -3,7 +3,7 @@
//go:build !ts_omit_tailnetlock //go:build !ts_omit_tailnetlock
// Package tka (WIP) implements the Tailnet Key Authority. // Package tka implements the Tailnet Key Authority (TKA) for Tailnet Lock.
package tka package tka
import ( import (

36
tka/verify.go Normal file
View File

@@ -0,0 +1,36 @@
// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
//go:build !ts_omit_tailnetlock
package tka
import (
"crypto/ed25519"
"errors"
"fmt"
"github.com/hdevalence/ed25519consensus"
"tailscale.com/types/tkatype"
)
// signatureVerify returns a nil error if the signature is valid over the
// provided AUM BLAKE2s digest, using the given key.
func signatureVerify(s *tkatype.Signature, aumDigest tkatype.AUMSigHash, key Key) error {
// NOTE(tom): Even if we can compute the public from the KeyID,
// its possible for the KeyID to be attacker-controlled
// so we should use the public contained in the state machine.
switch key.Kind {
case Key25519:
if len(key.Public) != ed25519.PublicKeySize {
return fmt.Errorf("ed25519 key has wrong length: %d", len(key.Public))
}
if ed25519consensus.Verify(ed25519.PublicKey(key.Public), aumDigest[:], s.Signature) {
return nil
}
return errors.New("invalid signature")
default:
return fmt.Errorf("unhandled key type: %v", key.Kind)
}
}

18
tka/verify_disabled.go Normal file
View File

@@ -0,0 +1,18 @@
// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
//go:build ts_omit_tailnetlock
package tka
import (
"errors"
"tailscale.com/types/tkatype"
)
// signatureVerify returns a nil error if the signature is valid over the
// provided AUM BLAKE2s digest, using the given key.
func signatureVerify(s *tkatype.Signature, aumDigest tkatype.AUMSigHash, key Key) error {
return errors.New("tailnetlock disabled in build")
}