tka: use ts_omit_tailnetlock in another spot, for ed25519consensus

I noticed this while modularizing clientupdate. With this in first, moving clientupdate to be modular removes a bunch more stuff from the minimal build + tsnet. Updates #17115 Change-Id: I44bd055fca65808633fd3a848b0bbc09b00ad4fa Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-10-27 11:41:14 +00:00 · 2025-09-26 18:21:50 -07:00
parent 9ae8155bab
commit e9dae5441e
5 changed files with 56 additions and 24 deletions
--- a/cmd/tailscaled/depaware-minbox.txt
+++ b/cmd/tailscaled/depaware-minbox.txt
@@ -20,7 +20,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/google/nftables/expr                              from github.com/google/nftables+
        github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
        github.com/google/nftables/xt                                from github.com/google/nftables/expr+
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign+
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign
     💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
        github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
--- a/tka/key.go
+++ b/tka/key.go
@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"

-	"github.com/hdevalence/ed25519consensus"
 	"tailscale.com/types/tkatype"
 )

@@ -136,24 +135,3 @@ func (k Key) StaticValidate() error {
 	}
 	return nil
 }
-
-// Verify returns a nil error if the signature is valid over the
-// provided AUM BLAKE2s digest, using the given key.
-func signatureVerify(s *tkatype.Signature, aumDigest tkatype.AUMSigHash, key Key) error {
-	// NOTE(tom): Even if we can compute the public from the KeyID,
-	//            its possible for the KeyID to be attacker-controlled
-	//            so we should use the public contained in the state machine.
-	switch key.Kind {
-	case Key25519:
-		if len(key.Public) != ed25519.PublicKeySize {
-			return fmt.Errorf("ed25519 key has wrong length: %d", len(key.Public))
-		}
-		if ed25519consensus.Verify(ed25519.PublicKey(key.Public), aumDigest[:], s.Signature) {
-			return nil
-		}
-		return errors.New("invalid signature")
-
-	default:
-		return fmt.Errorf("unhandled key type: %v", key.Kind)
-	}
-}
--- a/tka/tka.go
+++ b/tka/tka.go
@@ -3,7 +3,7 @@

 //go:build !ts_omit_tailnetlock

-// Package tka (WIP) implements the Tailnet Key Authority.
+// Package tka implements the Tailnet Key Authority (TKA) for Tailnet Lock.
 package tka

 import (
--- a/tka/verify.go
+++ b/tka/verify.go
@@ -0,0 +1,36 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ts_omit_tailnetlock
+
+package tka
+
+import (
+	"crypto/ed25519"
+	"errors"
+	"fmt"
+
+	"github.com/hdevalence/ed25519consensus"
+	"tailscale.com/types/tkatype"
+)
+
+// signatureVerify returns a nil error if the signature is valid over the
+// provided AUM BLAKE2s digest, using the given key.
+func signatureVerify(s *tkatype.Signature, aumDigest tkatype.AUMSigHash, key Key) error {
+	// NOTE(tom): Even if we can compute the public from the KeyID,
+	//            its possible for the KeyID to be attacker-controlled
+	//            so we should use the public contained in the state machine.
+	switch key.Kind {
+	case Key25519:
+		if len(key.Public) != ed25519.PublicKeySize {
+			return fmt.Errorf("ed25519 key has wrong length: %d", len(key.Public))
+		}
+		if ed25519consensus.Verify(ed25519.PublicKey(key.Public), aumDigest[:], s.Signature) {
+			return nil
+		}
+		return errors.New("invalid signature")
+
+	default:
+		return fmt.Errorf("unhandled key type: %v", key.Kind)
+	}
+}
--- a/tka/verify_disabled.go
+++ b/tka/verify_disabled.go
@@ -0,0 +1,18 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build ts_omit_tailnetlock
+
+package tka
+
+import (
+	"errors"
+
+	"tailscale.com/types/tkatype"
+)
+
+// signatureVerify returns a nil error if the signature is valid over the
+// provided AUM BLAKE2s digest, using the given key.
+func signatureVerify(s *tkatype.Signature, aumDigest tkatype.AUMSigHash, key Key) error {
+	return errors.New("tailnetlock disabled in build")
+}